November 2019 Patch Tuesday – 74 vulns, 13 Critical, Actively Attacked IE vuln, Hyper-V escapes, Adobe

This month’s Microsoft Patch Tuesday addresses 74 vulnerabilities with 13 of them labeled as Critical. Of the 13 Critical vulns, 5  are for browsers and scripting engines. Out of the 8 remaining Critical vulns, 4 are potential hypervisor escapes in Hyper-V, as well as vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType. Adobe’s Patch Tuesday was on time this month, and covers 11 vulns spread across Animate, Illustrator, Media Encoder, and Bridge.

Workstation Patches

Scripting Engine, Browser, Win32k, WMF, and OpenType patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

One of the Scripting Engine vulnerabilities (CVE-2019-1429) impacting Internet Explorer has been reported by Microsoft as being Actively Attacked in the wild.

Microsoft Exchange

There are few details in the security bulletin for the Remote Code Execution vulnerability (CVE-2019-1373) in Microsoft Exchange. The bulletin states that the user must execute PowerShell cmdlets against the Exchange server, but the bulletin does not state what level of privileges are required to exploit. With this being unknown at this time, it is recommended that this patch be prioritized for any Microsoft Exchange servers.

Hyper-V Hypervisor Escapes

Four remote code execution vulnerabilities (CVE-2019-1389, CVE-2019-1397, CVE-2019-1398, and CVE-2019-0721) are patched in Hyper-V and Hyper-V Network Switch that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of these vulnerabilities is less likely, but these patches should still be prioritized for all Hyper-V systems.

Guidance on TPM Vulnerability

Microsoft has also issued a Security Advisory on a vulnerability in certain TPM chipsets from STMicroelectronics. The vulnerability impacts key confidentiality in the ECDSA cipher. While there is no vulnerability in Windows itself, a firmware update to the TPM may be needed. The vendor link in the Security Advisory is not pointing the the proper location, but even if manually followed, the page appears to be down at this time.

Adobe

Adobe’s October Patch Tuesday was delayed last month, but covered Acrobat/Reader, Download Manager, Experience Manager, and Experience Manager Forms. The Acrobat/Reader patches cover 45 critical vulns, and should be prioritized for Workstations with this software installed. The Experience Manager patch also covers one Critical vulnerability. Adobe has ranked the Acrobat/Reader and Experience Manager patches as Priority 2, while the others are ranked as Priority 3.

For November’s Patch Tuesday, Adobe has released security patches for Animate, Illustrator, Media Encoder, and Bridge. The Illustrator patch covers two Critical vulns, while the Media Encoder patch covers one. Adobe has ranked all of these patches as Priority 3.