It’s the end of the 20-teens, and your Windows PC can still be pwned by nothing more than a simple bad font

With the year winding to a close and the holiday parties set to kick off, admins will want to check out the December Patch Tuesday load from Microsoft, Adobe, Intel, and SAP and get them installed before downing the first of many egg nogs.

Redmond gifts admins a light burden

This month is a relatively small patch bundle from Microsoft, with fixes kicked out for just 36 CVE-listed bugs, only seven of which are considered to be critical risks by Redmond standards.

Not among those seven is CVE-2019-1458, a flaw believed to be under active attack in the wild. The bug, an elevation of privilege error caused by the handling of objects in memory, is said to have been chained with a Chrome flaw to let attackers remotely attack PCs, and is just rated as important.

“When that [Chrome] bug became public, there was speculation it was being paired with a Windows kernel bug to escape the sandbox,” explained Dustin Childs of the Trend Micro ZDI. “While it’s not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape.”

Also of note is CVE-2019-1471, a critical hypervisor escape bug that would allow an attacker running on a guest VM to execute code on the host box.

The bulk of this month’s critical fixes were for a series of five remote code execution flaws in Git for Visual Studio. In each of the flaws, said to be caused by improper handling of command-line input, an attacker would launch the exploit by convincing the target to clone a malicious repo.

The remaining critical patch is for CVE-2019-1468, a play on the tried-and-true font-parsing vulnerability. In the wild, an attacker would embed the poisoned font file in a webpage and attack any system that visits.

For Office, the December bonanza brings fixes for a denial of service bug in Word (CVE-2019-1461), a remote code execution flaw in PowerPoint (CVE-2019-1462), and an information disclosure flaw in Excel (CVE-2019-1464). In each case the attacker would convince the mark to open a poisoned document file.

Adobe wraps up Acrobat and Photoshop fixes

For Adobe, there are updates for Acrobat, Photoshop, Brackets, and ColdFusion.

The bulk of the fixes will apply to Acrobat and Acrobat Reader, where a total of 21 CVE-listed bugs were patched. Of those, six were information disclosure via out-of-bounds read flaws, while one was privilege escalation by changing default directories.

The remaining vulnerabilities allowed arbitrary code execution via security bypass, untrusted pointer dereference, buffer errors, heap overflows, use-after-free conditions, and out of bounds read and write.

For Photoshop, two CVE-listed bugs (CVE-2019-8253, CVE-2019-8254) are patched on Windows and macOS. Each would potentially allow arbitrary code execution if exploited.

Developers will want to pay attention to two Adobe patches in particular. In Brackets, there is one flaw allowing arbitrary code execution (CVE-2019-8255), and in ColdFusion there was a single privilege escalation flaw (CVE-2019-8256).

Adobe says none of the patched bugs are currently being targeted in the wild.

Intel’s December patches: More than just Plunderbolt

On Tuesday morning, word broke about Plunderbolt, the latest side-channel flaw for Intel processors. That advisory was one of 11 from Chipzilla this month.

Others included a set of privilege escalation flaws in NUC firmware, escalation of privilege via Linux Administrative Tools, and elevation of privilege errors in the handing of virtual environments.

SAP drops December fixes

For those using SAP software, there are a total of seven security notes this month, including fixes for bugs in Adaptive Server Enterprise (CVE-2019-0402), SAP BusinessObjects (CVE-2019-0395) and SAP Enable Now (CVE-2019-0405). ®

READ MORE HERE

0