View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 13, 2019

Microsoft Pushes Out Patches for 13 Critical Vulnerabilities, Spanning IE, Hypervisor Escape, More

"The bulletin does not state what level of privileges are required to exploit..."

By CBR Staff Writer

Patch Tuesday looks a little more substantial this month, with Microsoft security updates now available to address a total of 74 vulnerabilities, 13 of them labelled critical, including one zero day being actively exploited in the wild.

The fixes are up from last month’s 60 CVEs; nine of which were critical. Security teams are being urged to update their systems as soon as possible.

One of the patches (CVE-2019-1429) is for a remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. This has been reported by Microsoft as being actively attacked in the wild.

Read this: Oracle Patches 219 Security Vulnerabilities – 142 Remotely Exploitable

Chris Goettl, Director of Security Solutions at Ivanti said in an emailed comment: “The vulnerability only gains them equal access to the current user, so proper privilege management would mitigate the attacker’s ability to take full control of the system without using additional elevation of privilege exploits.

He added: “For attack vectors, an attacker could craft a website or embed an ActiveX control marked with ‘safe for initialisation’ in an application or Office document that hosts the IE rendering engine. Security training on common phishing and user-targeted attack methods could further reduce the risk of this vulnerability being exploited. But since it is already being exploited in the wild, it is highly recommended to get the patch rolled out quickly to resolve the vulnerability completely.”

Microsoft Security Updates Span 13 Critical Vulns

Of the 13 critical vulnerabilities, five are for browsers and scripting engines.

Out of the eight other critical vulnerabilities, four are potential hypervisor escapes in Hyper-V.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

There are also vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType, Microsoft said in its monthly update.

The critical vulnerability (CVE-2019-1373) in Microsoft Exchange also stands out, but scant details have emerged. As Jimmy Graham, Senior Director of Product Management at Qualys notes: “The bulletin states that the user must execute PowerShell cmdlets against the Exchange server, but the bulletin does not state what level of privileges are required to exploit. With this being unknown at this time, it is recommended that this patch be prioritized for any Microsoft Exchange servers.”

Ivanti’s Goettl adds: “Microsoft has resolved a publicly disclosed vulnerability (CVE-2019-1457) in Excel that could bypass security features.

“An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability. This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.”

Read this: Microsoft Drops Another SSU: “Sweeping Changes” Coming?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU