December is here already and ‘tis the season to be jolly – but not so jolly that we forget to stay vigilant and on guard against the attackers who want to send us the wrong kind of gifts. Unfortunately those who look for software vulnerabilities to exploit rarely take the holiday off, so it’s still important not to slack off on keeping your systems up to date.

 

We’ve already had some major cyberattacks just ten days into the month, including one that shut down many of the systems in the Florida city of Pensacola only hours after a shooting at the naval base there. And some users are making it easier for hackers; Microsoft stated recently in their latest Security Intelligence Report that they found more than 44 million reused passwords for their Azure Active Directory and Microsoft Services accounts.

 

The bad guys have numerous ways to infiltrate networks, of course. Using the vulnerabilities in popular operating systems, applications, and protocols is one of their favorites, but Microsoft and other software vendors work hard to stay a step ahead of them when possible, or respond and react quickly when a zero day attack does occur.

Compared to some recent months, this is a relatively light Patch Tuesday. Microsoft did release updates for all versions of the Windows OS, but there are fewer vulnerabilities addressed and few of those are rated critical.

 

Keeping systems updated is only one component in protecting against attacks, but it’s an essential one, and one of the most cost-effective. In addition to the OS updates, Microsoft also issued patches this month for Office, SQL Server, Visual Studio, and Skype for Business. Let’s look at some of the specifics of the December software updates and the vulnerabilities that they address.

Operating system, OS components, and web browser updates

First, we need to note that Windows 7 is reaching end of support life for all versions except Enterprise and Small Business. If you’re running Windows 7 Home, Professional, or Ultimate editions, expect to see a notification on January 15, 2020 that your operating system will receive no more updates after January Patch Tuesday.  It’s time to take the leap of faith and move to Windows 10, and while Windows 7 was a great OS in its time and the learning curve for the interface may be a little scary at first, you’ll find that Win10 really does offer more features and functionality along with better security.

As for now, though, Windows 7 is still getting updates so you have a little time to prepare for the transition. Let’s take a look at all the OS patches released this time.

Windows 10 and Windows Server 2019

This month’s patches address vulnerabilities in Windows 10 versions 1803, 1809, 1903, and 1909. These include 15 in 1809 and 14 in each of the others, with 2 that are rated as critical in each. The critical vulnerabilities are remote code execution issues.

See the following KB articles for information about the issues addressed by the December 10 updates for the various versions of Windows 10:

Windows 10 version 1803 – KB4530717 – Contains updates to improve security when Windows performs basic operations and updates to improve security when using external devices (such as game controllers and web cameras). Security updates to Windows Virtualization, Windows Kernel, Windows Peripherals, the Microsoft Scripting Engine, and Windows Server.

Windows 10 version 1809 KB4530715 — Contains updates to improve security when Windows performs basic operations and updates to improve security when using external devices (such as game controllers and web cameras). Security updates to Windows Virtualization, Windows Kernel, Windows Peripherals, the Microsoft Scripting Engine, and Windows Server.

Windows 10 version 1903 and 1909 –KB4530684 – Contains updates to improve security when Windows performs basic operations.

Note: Windows 10, versions 1903 and 1909 share a common core operating system and an identical set of system files. As a result, the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state. These new features will remain dormant until they are turned on using an enablement package, which is a small, quick-to-install “master switch” that simply activates the Windows 10, version 1909 features.

Windows 10 older versions

KB4530681 — Cumulative Update for Windows 10 Version 1507

KB4530689 — Cumulative Update for Windows 10 Version 1607

KB4530711 — Cumulative Update for Windows 10 Version 1703

KB4530714 — Cumulative Update for Windows 10 Version 1709

 

You can find details about each of the patches in the corresponding KB articles linked to each OS version above. Note that some of the cumulative updates also address non-security issues. This article focuses on the security-related fixes.

Older client operating systems

If you’re still using an older supported version of Windows, you’ll still need to be diligent about applying this month’s updates as critical vulnerabilities apply across all versions.

The following security updates apply to previous Windows operating systems:

  • Windows 8.1/Server 2012 R2 – Monthly Rollup: KB4530702 and Security-only Update: KB4530730. Includes security updates to Windows Virtualization, Windows Kernel, Windows Peripherals, the Microsoft Scripting Engine, and Windows Server.
  • Windows 7 – Monthly Rollup: KB4530734 and Security-only Update: KB4530692. Includes security updates to Windows Input and Composition, Windows Virtualization, Windows Kernel, Windows Peripherals, the Microsoft Scripting Engine, and Windows Server.

You can find details about each of the patches in the corresponding KB articles linked to each OS version above.

Prior Windows Server operating systems

Windows Server 2008 and 2012 received regular monthly and security only updates as follows:

  • Window Server 2008 – Security Monthly Quality Rollup for Windows Server 2008 KB4530695and Security Only Quality Update for Windows Server 2008 KB4530719. Security updates to Windows Input and Composition, Windows Virtualization, Windows Kernel, and Windows Peripherals.
  • Windows Server 2012 R2 – Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB4530702) and Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB4530730). Security updates to Windows Virtualization, Windows Kernel, Windows Peripherals, and Windows Server.

Microsoft web browsers

Internet Explorer received a security fix this month for a single vulnerability rated important.

KB4530677 – Cumulative security update for Internet Explorer

Microsoft Office

Microsoft Office 2016 – KB4532624
Microsoft Office 2013 – KB4532624
Microsoft Office 2020 – KB4532624

These updates address an information disclosure vulnerability that is rated important.

Other Microsoft products and Services

Updates were also released this month for the following software:

SQL Server

Visual Studio 2017 v15.9 Security Advisory Notice – Addresses the following CVEs:

  • CVE-2019-1349 Git for Visual Studio Remote Execution Vulnerability due to too lax restrictions on submodule names
  • CVE-2019-1350 Git for Visual Studio Remote Execution Vulnerability due to incorrect quoting of command-line arguments
  • CVE-2019-1351 Git for Visual Studio Arbitrary File Overwrite Vulnerability due to usage of non-letter drive names during clone
  • CVE-2019-1352 Git for Visual Studio Remote Execution Vulnerability due to unawareness of NTFS Alternate Data Streams
  • CVE-2019-1354 Git for Visual Studio Arbitrary File Overwrite Vulnerability due to not refusing to write out tracked files containing backslashes
  • CVE-2019-1387 Git for Visual Studio Remote Execution Vulnerability due to too lax validation of submodule names in recursive clones

Skype for Business Server 2019 CU2 – 4534761  – This security update resolves vulnerabilities when a Lync Server or Skype for Business Server does not properly sanitize a specially crafted request.

Known issues

There are several known issues with the various updates, so please check out the “Known Issues” in each of the applicable KB articles.

  • 4484190 – Excel 2013
  • 4484179 – Excel 2016
  • 4461590 – PowerPoint 2013
  • 4484190 – PowerPoint 2016
  • 4484190 – Word 2013
  • 4484190 – Word 2016
  • 4530681 – Windows 10
  • 4530684 – Windows 10, version 1803 and 1809, Windows Server version 1803 and 1809
  • 4530689 – Windows 10, version 1607, Windows Server 2016
  • 4530691 – Windows Server 2012 (Monthly Rollup)
  • 4530698 – Windows Server 2012 (Security-only update)
  • 4530702 – Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
  • 4530714 – Windows 10, version 1709
  • 4530715 – Windows 10, version 1809, Windows Server 2019
  • 4530717 – Windows 10, version 1803, Windows Server version 1803
  • 4530730 – Windows 8.1, Windows Server 2012 R2 (Security-only update)
  • 4530734 – Windows 7 SP1, Windows Server 2008 R2 SP1 (Monthly Rollup)

Critical vulnerabilities

The following are some examples of the critical vulnerabilities addressed by this month’s updates (this is not necessarily a comprehensive list of all vulnerabilities patched this month):

CVE-2019-1471 | Windows Hyper-V Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

CVE-2019-1468 | Win32k Graphics Remote Code Execution Vulnerability. A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability.

CVE-2019-1354 | Git for Visual Studio Remote Code Execution Vulnerability. A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.