Microsoft today issued updates covering 74 vulnerabilities, 13 critical, as part of its November Patch Tuesday roll out with two flaws, CVE-2019-1429 and CVE-2019-1457, catching the eye of several cybersecurity researchers as particularly important.
CVE-2019-1429 is a scripting engine memory corruption vulnerability that has been exploited in the wild as a zero day. When exploited an attacker can gain the same user rights as the target and if that person is logged on with administrative user rights, the attacker could take control of an affected system giving that person the ability to install programs; view, change, or delete data; or create new accounts with full user rights.
Satnam Narang, senior research engineer at Tenable, noted an attacker would have to do some extra work to utilize this vulnerability.
“An attacker would need to convince a user to visit a website containing the exploit code using Internet Explorer in order to exploit the flaw,” he said.
CVE-2019-1457 is a Microsoft Office Excel Security Feature Bypass that was first disclosed in October, but has not been exploited. To take advantage of the flaw an attacker would have to convince a user to open a specially crafted file with an affected version of Microsoft Office software, which would allow the attacker to write arbitrary code.
Even though this vulnerability has not been exploited, Chris Goettl, director of product management, Security, Ivanti, noted that now that the issue is known malicious actors can attempt an exploit so implementing the patch is crucial.
“Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability. This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts it at higher risk of exploitation,” he said.
Qualys’ Director of Product Management Jimmy Graham pointed out several other vulnerabilities that he believes deserve special attention this month. CVE-2019-1373 should be prioritized for a remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell.
Additionally, in Hyper V and Hyper V Network Switch the remote code execution vulnerabilities CVE-2019-1389, CVE-2019-1397, CVE-2019-1398 and CVE-2019-0721 were patched. If left unpatched it would be possible for an authenticated user on a guest system to run arbitrary code on the host system. Microsoft did note tha exploitation of these vulnerabilities is less likely, but these patches should still be prioritized for all Hyper-V systems, Graham said.