News

Microsoft's December Patch Rollout Targets 36 Vulnerabilities

• By Kurt Mackie
• 12/10/2019

Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio are all affected by Microsoft's December bundle of security patches, released Tuesday.

The patches address a total of 36 common vulnerabilities and exposures (CVEs), with seven rated as "Critical," according to a blog post by Dustin Childs of Trend Micro's Zero Day Initiative. He added that it's common for Microsoft to offer lighter patch loads in December.

Others security observers, such as Jon Munshaw of Cisco's Talos security blog, counted a total of "25 vulnerabilities, two of which are considered critical" in Microsoft's December release. For those persons wanting to do the count themselves, the whole thing is chronicled in repetitiously mind-numbing detail in the 34 pages of the Microsoft "Security Update Guide" for this month.

Active Attack
Just one CVE addressed by the December patches was reported as being publicly exploited. CVE-2019-1458 is an "Important"-rated Windows elevation-of-privilege vulnerability that's under active attack, according to Childs. Microsoft's Knowledge Base article on the topic stated that an attacker would first need to log into a system and then run "a specially crafted application that could exploit the vulnerability and take control of an affected system." Childs speculated that this vulnerability may have been connected with an earlier reported Google Chrome-based attack. Possibly, this Windows kernel flaw was used.

Notable Critical Flaws
Of the Critical vulnerabilities getting patches this month, one is notable for using an old embedded-fonts malware trick, according to Childs. CVE-2019-1468 is a Windows remote code execution vulnerability that's triggered by getting a person to click on a document file or a link to a Web site, according to Microsoft's Knowledge Base article. The patch corrects "how the Windows font library handles embedded fonts," the Knowledge Base article explained.

Another noteworthy Critical vulnerability, according to Childs, affects Windows Hyper-V. CVE-2019-1471 addresses a scenario where the guest operating system is used to attack the host operating system. Microsoft's Knowledge Base article on the topic stated that the attacker would need to run "a specially crafted application on a guest operating system" to get the host to "execute arbitrary code."

In an associated patch note, a Critical SharePoint Server vulnerability (CVE-2019-0604) that got a patch from Microsoft back in February is now under active attack, according to security expert Kevin Beaumont in a Dec. 10 Twitter post. The note was spotted in this AskWoody blog post. There's also an AskWoody post offering a December patch summary.

Windows 10 KBs
Microsoft's "Release Notes" included a note for IT pros that Windows 10 versions 1903 and 1909 are sharing the same security update Knowledge Base article listings for this month because the core operating system is the same for the OSes. That's an oblique reference to the so-called "enablement package" was used to accelerate Windows 10 version 1909 upgrades.

Last month, in an "Ask Microsoft Anything" Q&A session, Microsoft explained that the enablement package "is somewhat of an 'experiment'" and that "there isn't a formal plan in place to deliver future releases in this same way."

Windows 7's End of Support
Windows 7 Service Pack 1 users and Windows Server 2008 R2 users got a reminder in Microsoft's December Security Patch notice that both OSes will fall out of support on Jan. 14, 2020. Free patch support from Microsoft will stop after that date, making their continued use somewhat risky.

If that weren't enough notice, Microsoft plans to push out a "full-screen notification," colloquially known as "the nag screen," to non-domain-joined Windows 7 SP1 users starting on Jan. 15, 2020, according to this Microsoft support article.

Organizations stuck on Windows 7 can buy into Microsoft's Extended Security Updates (ESU) program, which offers access to Critical and Important security patches for three more years. They'll need to be using the Professional edition or Pro edition of Windows 7 SP1 to be eligible for the program. A new Windows 7 product key needs to be used, which can be purchased from a Microsoft partner that's part of the Cloud Solution Partner (CSP) program, Microsoft clarified in a Nov. 26-updated article on how to set up Extended Security Updates.

Many helpful responses from Microsoft about the ESU program can be found in the comments section of that updated article. One commenter there noted that there's an optional update that can be downloaded from the Microsoft Update Catalog to verify if Windows 7 SP1 or Windows Server 2008 R2 machines are eligible to use ESUs. The update is described in this support article. There's also a brief support article on getting the ESU product keys here. There's also a FAQ on getting ESU support.

Also losing support next month will be Microsoft Security Essentials, a free Microsoft anti-malware solution that's tied to the lifecycle of Windows 7. Users hoping to hang onto Windows 7 and continue to use Microsoft Security Essentials for protection will be out of luck. They won't have this protection after the Jan. 14, 2020 end date, according to this Born's Tech and Windows World article.