December Patch Tuesday Addressed Microsoft Zero-Day Under Exploit

This Tuesday, Microsoft has rolled out a final scheduled updates for the year 2019. With the December Patch Tuesday bundle, Microsoft has addressed relatively fewer bugs as compared to previous months (only 36). Nonetheless, once again, Microsoft has patched a zero-day bug under active exploitation.

Microsoft Fixed Zero-Day Bug Under Exploit

Reportedly, with December Patch Tuesday updates Microsoft has fixed a zero-day vulnerability that existed in the Win32k component. When triggered, the bug could result in a privilege escalation.

Stating about this vulnerability, CVE-2019-1458, in an advisory, Microsoft said,

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Exploiting the flaw required an attacker to log on to the system and run a maliciously crafted application.

What’s more troubling with this bug is that the attackers already started exploiting this flaw before a patch.

According to Kaspersky, who discovered this zero-day, elaborated in their blog post, that this bug possibly came under exploit together with another zero-day flaw in Google Chrome (CVE-2019-13720) that the researchers discovered last month.

The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox.

Other December Patch Tuesday Updates

In addition, Microsoft has also fixed 35 other bugs that remained undisclosed and exploited. Microsoft deemed 7 of these bugs as critically severe, which could lead to remote code execution upon an exploit.

Collectively, the software receiving security updates this month include Microsoft Windows, Skype for Business, Visual Studio, SQL Server, Microsoft Office and Microsoft Office Services and Web Apps, and Internet Explorer.

In November Microsoft again fixed an actively exploited zero-day bug.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Related