November Patch Tuesday
Vendors unleashed a virtual torrent of patches and updates for November’s Patch Tuesday. We strongly recommend that you take the time to scan the sites of the various vendors and manufacturers you rely on for patches and updates to your business-critical software and systems. Here are a few patches as well as some updates from some of the larger developers:
Microsoft
Microsoft released a wealth of security updates for November’s Patch Tuesday. Overall, there were 73 updates and two advisories. Fourteen of the security updates and one of the advisories were rated as critical, and one of those critical vulnerabilities, CVE-2019-1429 – a scripting engine memory corruption vulnerability, is currently being actively exploited in the wild. This is a use after free issue identified in IE11. The vulnerability can be exploited to achieve remote code execution. Exploitation has been detected, so this one needs to be addressed as a priority.
The first of the two advisories (ADV190024) addresses Microsoft guidance for a vulnerability (CVE-2019-16863) in the Trusted Platform Module (TPM). According to Microsoft, the vulnerability weakens key confidentiality protection for a specific algorithm (ECDSA). This is a vulnerability in the TPM firmware, and not in the Windows OS or in any specific application, and Windows is not using the vulnerable algorithm. However, other software or services do use this algorithm, so if your system is affected you will need to re-enroll in security services to remediate those affected services. The second advisory (ADV990001) addresses the latest servicing stack updates.
FortiGuard Labs researcher, Wayne Low, discovered one of the vulnerabilities that was patched in this month’s release: Microsoft splwow64 Elevation of Privilege Vulnerability CVE-2019-1380. Splwow64 was previously found exploited in the wild and fixed by Microsoft on September 2019 and assigned with CVE-2019-0880. The nature of the vulnerability provides a powerful arbitrary read/write privilege, which allows the attacker to achieve code execution under elevated user privilege. A sandbox escape is possible because its Local Procedure Call (LPC) interface can be triggered by arbitrary users, even AppContainer. As a result, the vulnerability is typically used in privilege escalation. Based on our analysis of September’s CVE-2019-0880 patch, we determined that the patch was bypassable using a race condition exploitation approach. Microsoft has since decided to address the issue this month as CVE-2019-1380.
For a full list of November’s Microsoft updates and advisories, visit the: Microsoft Security Update Guide.
Adobe
Adobe released security updates today addressing flaws in Adobe Animate CC, Adobe Illustrator, Adobe Media Encoder, and Adobe Bridge CC. Two critical memory corruption vulnerabilities (CVE-2019-8247 and CVE-2019-8248) that lead to remote code execution (RCE) in Adobe Illustrator CC for Windows and macOS were discovered by FortiGuard Labs researcher, Kushal Arvind Shah. Adobe Illustrator software is widely used, and Adobe recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism. Further details are noted here: Adobe Security Bulletin
Intel
Intel also released security updates and advisories to address vulnerabilities in multiple products. We recommend reviewing the full list of advisories on the Cybersecurity and Infrastructure Security Agency (CISA) website, as well as on Intel’s advisories page.
Conclusion
As always, the single best defense to protect your devices and data is to promptly apply security updates. We recommend beginning with those patches targeting vulnerabilities identified as severe, as well as using a tool like Fortinet’s Security Rating System to prioritize patches for your most vulnerable systems.
Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.