December Patch Tuesday 2019
It is December Patch Tuesday! There are 14 shopping/patching days left until Christmas and one patch Tuesday until Microsoft ends support for Windows 7 and Server 2008/2008 R2. Microsoft has resolved 36 vulnerabilities in the December Patch Tuesday release, one of which is confirmed to be exploited in the wild (CVE-2019-1458). Microsoft also released details on an XP SP3 vulnerability (CVE-2019-1489), but no patch will be forthcoming. Google has released an update for Chrome, resolving 51 vulnerabilities and Adobe has also released several updates; Adobe Reader is the most concerning with 21 vulnerabilities being resolved. An Adobe Flash Player release was issued today but is not security related.
Microsoft resolved CVE-2019-1458, which is a Win32k elevation of privilege vulnerability in the Windows Operating System. The vulnerability is only rated as Important and carries a CVSSv3 base score of 7.8. This is one of many vulnerabilities that Microsoft resolved in 2019 that were being exploited but were not rated as a Critical severity. If your vulnerability management criteria use vendor severity or CVSS score as criteria for determining what should be updated, you should re-evaluate your criteria to ensure exploited vulnerabilities like this do not slip past your prioritization process.
Microsoft released a CVE for Windows XP SP3 (CVE-2019-1489) while they state in the bulletin that Windows XP is out of support. The way this CVE is documented is also a bit confusing. The Microsoft Exploitability Assessment for Latest Software Release and Older Software Release is 0 which is usually the value reserved for a vulnerability that is known to be exploited, yet the exploited value was currently set to “No” as the bulletin was released today. If you look at the zero-day from this month (CVE-2019-1458) the Exploitability Assessment for Older Software Release is “0 - Exploitation Detected,” an odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.
Adobe released updates for Adobe Acrobat Reader, Flash Player, Photoshop, Brackets and ColdFusion. Again, the Flash update is non-security related. Photoshop and Brackets are both rated as priority 3 and resolve a total of three CVEs between them. ColdFusion resolves one CVE and is rated as a priority 2 by Adobe. Acrobat Reader resolves a total of 21 CVEs, 14 of which are Critical and the most severe of these could allow arbitrary code execution on the affected system.
Microsoft has also released servicing stack updates for Windows 7, Server 2008, Server 2008 R2 and Server 2012 as part of the December Patch Tuesday release.
Microsoft has resolved several vulnerabilities in Visual Studio this month. The CVEs all affect the Git functionality which allows a developer to call into a repository to pull a specific module into their project. In these scenarios an attacker would need to convince a developer to clone a malicious repository. This may be difficult to execute, but if it can be pulled off the rewards for the threat actor could be quite lucrative. This is a spear phishing escalation of privilege into the engineering group. Hypothetically a threat actor could target a software vendor or service provider. If they know enough about the vendor’s platform and have access to a list of email addresses for those developers, they could create a spear phishing campaign to target these users and attempt to convince them to access their malicious repository. It is very common for developers to share code across or to ask someone to debug an issue they are seeing. If an unsuspecting developer connects to the repository from someone they think they trust, then an attacker can gain control of their development environment.
Third party vendors are becoming a higher priority target for threat actors and give them an ability to attack many targets at once through a coordinated attack at the vendor. Recent ransomware attacks in the healthcare and hospitality industries have targeted vendors who support many small businesses. These attacks on multiple businesses create enough pain to extort a larger ransom where the individual businesses alone would otherwise not have been worthwhile targets.