VERT Threat Alert: December 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s December 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-863 on Wednesday, December 11th. 

In-The-Wild & Disclosed CVEs

CVE-2019-1458

A vulnerability in Win32k is currently seeing active exploitation that could give an attacker the ability to run arbitrary code in kernel mode. Microsoft has addressed this vulnerability by correcting how Win32k handles objects in memory. The latest software releases are not impacted by this vulnerability. Microsoft has rated this as a 4 (N/A) on the latest software release and 0 (Exploitation Detected) on older software releases on the Exploitability Index.

CVE-2019-1489

Microsoft has released a notification regarding RDP on Windows XP SP3. This is end of life software without an available update and Microsoft has indicated they have no plans to release one. There is no indication that this vulnerability has been publicly disclosed or exploited based on the exploitability index, but Microsoft has indicated that an attacker could use this vulnerability to obtain information that could be used to further compromise the user’s system. Microsoft has rated this as a 0 (Unknown) on both the latest and older software releases on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

Tag	CVE Count	CVEs
Windows Hyper-V	2	CVE-2019-1470, CVE-2019-1471
Skype for Business	1	CVE-2019-1490
Open Source Software	1	CVE-2019-1487
SQL Server	1	CVE-2019-1332
Microsoft Windows	7	CVE-2019-1453, CVE-2019-1474, CVE-2019-1483, CVE-2019-1488, CVE-2019-1476, CVE-2019-1477, CVE-2019-1478
Microsoft Graphics Component	4	CVE-2019-1465, CVE-2019-1466, CVE-2019-1467, CVE-2019-1468
Microsoft Scripting Engine	1	CVE-2019-1485
Windows OLE	1	CVE-2019-1484
Visual Studio	7	CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387, CVE-2019-1486
Windows Kernel	3	CVE-2019-1472, CVE-2019-1458, CVE-2019-1469
End of Life Software	1	CVE-2019-1489
Microsoft Office	5	CVE-2019-1400, CVE-2019-1461, CVE-2019-1462, CVE-2019-1463, CVE-2019-1464
Windows Media Player	2	CVE-2019-1480, CVE-2019-1481

Other Information

In addition to the Microsoft vulnerabilities included in the December Security Guidance,  an advisory was also released today.

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business [ADV190026]

Microsoft has announced that when Windows Hello for Business (WHfb) is used that public keys can persist within Active Directory even after a device is removed. These orphaned public keys could be obtained by an authenticated attacker and, if they were created on TPMs that were affected by CVE-2017-15361, could be used to compute the private key. This could allow for user impersonation. The advisory includes details on the issue along with a PowerShell script for cleaning up orphaned keys as well as keys affected by CVE-2017-15361.