December Patch Tuesday has seen Microsoft release patches for 37 vulnerabilities along with 2 advisories. 7 of the vulnerabilities are rated critical, 27 are rated important, 1 is rated moderate, and another is rated low severity.
One of the important updates corrects a Windows zero-day privilege escalation flaw – CVE-2019-1458 – in the Win32k component that handles objects in the memory. An attacker could exploit the flaw and execute arbitrary code in kernel mode.
Kaspersky Lab discovered the flaw and reported it to Microsoft. According to Kaspersky Lab, the flaw has been exploited in a campaign called operation WizardOpium. The campaign targeted older Windows versions including Windows 7. Some versions of Windows 10 are also vulnerable, although not the latest Windows 10 builds. The exploit for the flaw was combined with a zero-day Chrome exploit which has already been patched by Google.
5 of the 7 critical flaws are remote code execution vulnerabilities in Git for Visual Studio (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387), the others are an RCE flaw in the Win32k Graphics component (CVE-2019-1468) and an RCE vulnerability in Windows Hyper-V (CVE-2019-1471).
Adobe has patched 21 vulnerabilities in Acrobat and Reader, 14 of which are RCE flaws and have been rated critical. The remaining 7 have been rated important. These include use-after-free, heap overflow, out-of-bounds write, buffer errors, untrusted pointer defense, and security bypass flaws.
Two critical memory corruption flaws have been patched in Photoshop. If triggered they could allow arbitrary code to be executed in the context of the current user. A critical command injection vulnerability has been fixed in Adobe Brackets, and an important privilege escalation vulnerability has been fixed in ColdFusion. None of the flaws in Adobe products are believed to have been exploited in the wild.
Users of vulnerable Microsoft and Adobe products have been advised to apply the updates as soon as possible to correct the vulnerabilities.