This Tuesday, Microsoft has rolled out a final scheduled updates for the year 2019. With the December Patch Tuesday bundle, Microsoft has addressed relatively fewer bugs as compared to previous months (only 36). Nonetheless, once again, Microsoft has patched a zero-day bug under active exploitation.
Microsoft Fixed Zero-Day Bug Under Exploit
Reportedly, with December Patch Tuesday updates Microsoft has fixed a zero-day vulnerability that existed in the Win32k component. When triggered, the bug could result in a privilege escalation.
Stating about this vulnerability, CVE-2019-1458, in an advisory, Microsoft said,
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploiting the flaw required an attacker to log on to the system and run a maliciously crafted application.
What’s more troubling with this bug is that the attackers already started exploiting this flaw before a patch.
According to Kaspersky, who discovered this zero-day, elaborated in their blog post, that this bug possibly came under exploit together with another zero-day flaw in Google Chrome (CVE-2019-13720) that the researchers discovered last month.
The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox.
Other December Patch Tuesday Updates
In addition, Microsoft has also fixed 35 other bugs that remained undisclosed and exploited. Microsoft deemed 7 of these bugs as critically severe, which could lead to remote code execution upon an exploit.
Collectively, the software receiving security updates this month include Microsoft Windows, Skype for Business, Visual Studio, SQL Server, Microsoft Office and Microsoft Office Services and Web Apps, and Internet Explorer.
In November Microsoft again fixed an actively exploited zero-day bug.
Let us know your thoughts in the comments.