December's “update Tuesday” from Microsoft brought patches for 36 vulnerabilities, 7 of which were considered critical, including a zero-day problem already used by cybercriminals.
0-day problem received identifier CVE-2019-1458 and was discovered by Kaspersky Lab experts. Researchers tell, that the new vulnerability is associated with a 0-day bug in the Chrome browser, which was discovered and fixed last month.
Studying the problem in Chrome, experts suggested that it was used in conjunction with some other vulnerability needed to escalate privileges and escape from the sandbox. Further investigation proved that this theory was true and helped to detect 0-day in Windows. Microsoft representatives report that the vulnerability allows an attacker to illegally elevate rights, and is due to the fact that the Win32k component cannot correctly process objects in memory.
Let me remind you that the researchers at Kaspersky Lab were unable to associate these vulnerability attacks with a specific hacker group, but assigned them the name WizardOpium. According to analysts, in the code of the attackers there are certain similarities with the attacks of the Lazarus grouping, however, this may well be a distraction.
In addition to 0-day vulnerabilities in Windows, Microsoft engineers fixed more than 30 other vulnerabilities in their products, including SQL Server, Visual Studio, Skype for Business, Microsoft Office, as well as Microsoft Office services and web applications. Thus, the December “update Tuesday” became the most modest in 2019 and one of the “easiest” in the last three years.
Among other serious bugs fixed by Microsoft this month, it is worth noting CVE-2019-1468: remote code execution in Win32k. This is a classic font attack. So, an attacker embeds a malicious font file in a web page and attacks the system of the user visiting the resource. Vulnerability is also critical. CVE-2019-1471 on Windows Hyper-V, which allows remote code execution on a host from a guest virtual machine.
Not only Microsoft, but also other companies have traditionally introduced corrections for their products.
So, in December 2019, Adobe released updates for Acrobat, Photoshop, Brackets, and ColdFusion. Most of the fixes were for Acrobat and Acrobat Reader, where has been eliminated 21 errors. Two bugs were fixed in Photoshop (CVE-2019-8253 and CVE-2019-8254) regarding Windows and macOS. Each of the bugs could potentially lead to the execution of arbitrary code.
Also patches have already been published. SAP developersby removing seven vulnerabilities, including issues with Adaptive Server Enterprise (CVE-2019-0402), SAP BusinessObjects (CVE-2019-0395), and SAP Enable Now (CVE-2019-0405).