November 2019 Patch Tuesday fixes 13 critical flaws and one zero day

November’s Patch Tuesday arrived this week to plug 73 CVE-level vulnerabilities across Microsoft’s software products, including 13 given the top billing of ‘critical’.

Fortunately, only one of this month’s flaws is known to be exploited, CVE-2019-1429, a scripting engine vulnerability in Internet Explorer reported independently by a trio of researchers.

As we’ve explained in previous articles on IE, because its code is inside all versions of Windows, these vulnerabilities potentially affects users who no longer use it because they’ve moved on to alternatives.

There’s an extra dimension – Microsoft Office – which, because it uses the same rendering engine, could be exploited by an embedded ActiveX control on a boobytrapped webpage marked “safe for initialisation”.

Because that makes it a zero day, patching this is priority number one. A second IE critical is CVE-2019-1390, an issue with how the VBScript engine handles objects in memory raises the same Office issue already discussed.

Although not known to be exploited, another to watch out for in this regard is CVE-2019-1457, a macro security bypass affecting the Mac version of Excel 2016 and 2019 which Naked Security discussed when it was disclosed a month ago by security company Outflank.

One oddity worth mentioning is CVE-2018-12207, which with its ID from last year (2018) looks like a mysterious 74th CVE. This turns out to be a denial of service vulnerability in Intel processors affecting guest virtual machines (VMs) which despite its ID date was only revealed in slightly controversial circumstances by the chip giant this week.

On the Intel theme, the company recently started synchronising its patches to coincide with Patch Tuesday in the style of Adobe. Although they don’t have a impact only on Microsoft software, it’s meant to be helpful. View Intel’s video blog on what’s in this month’s update on its security site.

Hyper-V

A theme this month is the unusually heavy nine patches for Microsoft’s Hyper-V virtualisation, four of which (CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, and CVE-2019-1398) make it on to the list of critical flaws.

All potentially allow Remote Code Execution (RCE), which guarantees admins will feel thankful when they’re patched (Hyper-V users also need to address the Intel flaw mentioned above with additional mitigations).

The remaining critical flaws include the routine filling of security cracks in the Edge browser (CVE-2019-1426, CVE-2019-1427, CVE-2019-1428), one affecting Exchange Server 2019 (CVE-2019-1373), and four in different Windows components.

A final issue Microsoft mentions in the ADV190024 advisory is CVE-2019-16863, a weakness in the way STMicroelectronics’ Trusted Platform Modules (TPMs) implement the Elliptic Curve Digital Signature Algorithm (ECDSA) in version 2.0 hardware.

This is one of two TPM flaws revealed by researchers this week, the other being an equivalent in Intel TPMs. While the issue affects Microsoft Windows computers, updating it must be done using patches from the affected vendors.

Adobe

A light set of patches this month covering 11 CVEs in four product families, Adobe Bridge CC, Animate CC, Illustrator CC, and the Adobe Media Encoder. That’s two months in a row there have been no patches for Flash Player.