For its final Patch Tuesday release of the year, Microsoft Corporation issued a series of security updates that fixed a total of 35 vulnerabilities, seven of which were deemed critical and one of which was found to be actively exploited.
The most severe flaws consist of remote code execution vulnerabilities in Git for Visual Studio (five: CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354 and CVE-2019-1387), Win32k Graphics (CVE-2019-1468) and Windows Hyper-V (CVE-2019-1471).
The five RCE flaws in Visual Studio are all caused by improper sanitization. "An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft warns in its various advisory pages for the bugs. "To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo."
Microsoft explains that it has fixed the problems by "correcting how Git for Visual Studio validates command-line input."
Notable among the remaining vulnerabilities is CVE-2019-1458, a privilege escalation flaw found in the Win32k driver. Although it was not assessed as critical, researchers from Kaspersky determined that malicious actors have been actively exploiting the bug as a zero-day to elevate privileges on infected machines and also to escape the Google Chrome browser's sandbox protections.
In a press release Tuesday, Russian cyber firm Kaspersky reveals that these actors are the ones behind Operation WizardOpium – a mysterious malware campaign that the security company described in a blog post last November. In that earlier report, Kaspersky noted that these actors had been exploiting a zero-day code execution bug in Chrome that Google patched on Oct. 31.
Kaspersky now says that the newly discovered exploit was found embedded in the older Chrome exploit.
“This type of attack requires vast resources. However, it gives significant advantages to the attackers and, as we can see, they are happy to exploit it,” said Anton Ivanov, security expert at Kaspersky, in the release. "The number of zero days in the wild continues to grow and this trend is unlikely to go away. Organizations need to rely on the latest threat intelligence available at hand and have protective technologies that can proactively find unknown threats such as zero-day exploits."
Although Microsoft fixed 35 vulnerabilities, there was actually a 36th bug that the company did not bother to fix: CVE-2019-1489, an information disclosure vulnerability in Remote Desktop Protocol for Microsoft Windows XP Service Pack 3. Because Windows XP is out of support, Microsoft has elected not to address the vulnerability.
