Browser automation script.
Patch Tuesday The November edition of Patch Tuesday has landed with scheduled updates from Microsoft, Adobe, and SAP, along with the debut of a new update calendar from Intel.
Scripting bug draws attacks on IE
Microsoft’s monthly batch of fixes addresses 74 CVE-listed security vulnerabilities, more than a dozen of them considered to be critical risks.
One of those vulnerabilities, CVE-2019-1429, is already under attack in the wild. The flaw is a remote code execution vulnerability, specifically a memory-corrupting hole, in Internet Explorer, which also affects Office.
“This vague description for memory corruption means that an attacker can execute their code if an affected browser visits a malicious web page or opens a specially crafted Office document,” explained Dustin Childs of the Trend Micro Zero Day Initiative.
“That second vector means you need this patch even if you don’t use IE.”
Four guest-escape bugs (CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, CVE-2019-1398) were found in Hyper-V. In each case, an attacker in a virtual machine would be able to run a malicious application that could run arbitrary code on the host server.
A remote code execution vulnerability in Exchange (CVE-2019-1373) was attributed to “deserialization of metadata via PowerShell,” and would allow the attacker to run code with the security clearance of the logged-in user: almost certainly an admin if we are talking about PowerShell access.
This month also brings the usual assortment of browser-based attacks with three remote code execution bugs for the Edge scripting engine (CVE-2019-1426, CVE-2019-1427, CVE-2019-1428) and one for VBScript (CVE-2019-1390. Fans of the classic “bad font” attacks will want to take a look at CVE-2019-1419, a remote code execution bug via OpenType fonts handled by Windows Adobe Type Manager Library.
Bonus bug report: 5G hardware vulnerable
If the patch bonanza wasn’t enough, there have also been reports that parts of the new 5G wireless broadband system could be vulnerable to attacks. Researchers from the University of Iowa and Purdue University say a malicious base station could be used to trick devices into handing over location info or send out fake emergency alerts.
For Office, two of the more serious bugs include a remote code execution flaw (CVE-2019-1448) and a security bypass bug (CVE-2019-1457) in Excel.
Finally, Microsoft has released guidance on security issues in Trusted Platform Modules. More on that here.
Intel opens the doors on its own Patch Tuesday plan
It seems our Patch Tuesday coverage is only going to be getting larger, thanks to the first of what looks to be many monthly security fix drops from Intel.
Chipzilla says that it too will make the second Tuesday of the month a scheduled security patch day for customers, and to kick off the fun it has dropped a set of patches addressing a total of 77 vulnerabilities, the majority of them in the Intel Management Engine, BMC firmware, and ethernet controllers.
Intel also posted its microcode fix for the newly-disclosed ZombieLoad side-channel attack variant.
Adobe drops four fixes for November
For Adobe it was a rather light Patch Tuesday, as the creative media giant posted fixes for three remote code execution bugs in Illustrator, a privilege escalation flaw in Animate CC, five information disclosure bugs in the Adobe Media Encoder, and two information disclosure vulnerabilities in Bridge CC.
SAP drops updates
Those running SAP software in their business will want to make sure they check for updates, as the enterprise giant has posted its own set of security fixes.
According to an analysis of the patches from security company Onapsis, some of the more pressing flaws include authorization bypass issues in SAP Internet Pricing Configurator, information disclosure bugs in Business Objects Business Intelligence Platform, and a missing authorization component in the ECATT framework. ®