Microsoft has released its December Patch Tuesday updates, which address 36 vulnerabilities, including one elevation of privilege zero day already being attacked in the wild that affects Win32k component.
The previously undisclosed Win32k flaw CVE-2019-1458 is only rated as “important” but, as confirmed by Microsoft, it is already being exploited in attacks.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft noted.
The bug was reported by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. They’re the same pair of researchers who reported a zero-day affecting Chrome that was patched by Google in late October. Kaspersky reported the Chrome bug was being exploited using a compromised Korean-language news portal.
As noted by ZDI’s Dustin Childs, there was speculation the Chrome bug had been paired with Windows kernel bug for a sandbox escape. The new Windows bug would allow an attacker to achieve a sandbox escape, however it’s not confirmed this specific bug was used by the same group.
Of this month’s 36 Patch Tuesday patches, seven flaws were rated critical, 28 are rated as important, and one is rated moderate.
The patches address flaws Microsoft Windows, Internet Explorer, Hyper-V Server, Microsoft Defender, GitHub Library, Office and Office Services and Web Apps, and SQL Server.
Five of the critical flaws this month affect Git for Visual Studio. The other two critical flaws include a Win32k Graphics remote code execution (RCE) vulnerability and and a RCE affecting Windows Hyper-V.
The Hyper-V flaw, CVE-2019-1471, allows an attacker on a guest operating system to cause the Hyper-V host operating system execute arbitrary code, according to Microsoft, which in this update corrected how Hyper-V validates guest OS user input.
The Win32 Graphics bug, CVE-2019-1468, exists in the Windows font library which improperly handles specially crafted embedded fonts and could give a attacker full control over am affected system.
Additionally, Windows 10 Mobile, version 1709 reached end of service with this Patch Tuesday and will no longer receive monthly security and quality updates.
And Microsoft offered a reminder that after 14 January 2020, Windows 7 and Windows Server 2008 R2 “will be out of extended support and no longer getting security updates”.
Today's Windows 7 update KB4530734 also installs a feature that will deliver an unavoidable message, come January 15, 2020, for users to upgrade to Windows 10.
"Starting on January 15, 2020, a full-screen notification will appear that describes the risk of continuing to use Windows 7 Service Pack 1 after it reaches end of support on January 14, 2020. The notification will remain on the screen until you interact with it," Microsoft says.
The message will appear for Windows 7 users on Starter, Home Basic, and Home Premium editions. Users on the Professional edition will also see the warning unless they have purchases the Extended Security Update.