Microsoft, in its final Patch Tuesday of the year, announced two advisories and updates for 36 vulnerabilities. Of the vulnerabilities, seven are critical, 27 important, one is moderate and another one low. One among the ‘important' vulnerabilities - a zero-day privilege elevation loophole - was found to be actively exploited in the wild.
The seven critical flaws consist of remote code execution vulnerabilities in Git for Visual Studio (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354 and CVE-2019-1387), Win32k Graphics (CVE-2019-1468) and Windows Hyper-V (CVE-2019-1471).
"CVE-2019-1471, the remote code execution vulnerability in Windows Hyper-V, exists due to improper validation of inputs from an authenticated user on the guest operating system by the host server. To exploit the vulnerability, an attacker would need to run a specially-crafted application on the guest operating system, resulting in execution of arbitrary code on the host operating system," commented Satnam Narang, senior research engineer at Tenable.
Improper sanitisation had lead to the five RCE flaws in Visual Studio, read the Microsoft announcement.
"An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," warned the Microsoft advisory pages for the bugs. "To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo."
"Depending on the victim’s user privileges, an attacker could use a remote code execution vulnerability in Win32k Graphics (CVE-2019-1468) to create a new account with full user rights, install programs, view, change or delete data," hoted Narang.
"To exploit the flaw, an attacker could use social engineering tactics to either convince their victim to visit a specially-crafted website containing the exploit code, or by embedding the exploit code in a specially-crafted document and enticing their victim to open it."
The problems were rectified by "correcting how Git for Visual Studio validates command-line input", explained the company.
Notable among the remaining vulnerabilities is CVE-2019-1458, a privilege escalation flaw that was found in the Win32k driver. Kaspersky Lab researchers Anton Ivanov and Alexey Kulaev earlier discovered that the vulnerability was being actively exploited, SC Media UK reported.
"An attacker could exploit the flaw to execute arbitrary code in kernel mode on the victim’s system. From there, the attacker could perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data," said Narang.
"However, to exploit the flaw, an attacker would need to have previously compromised the system using another vulnerability in order to elevate privileges. It is also important to note this flaw affects Windows 7 and Windows Server 2008, both of which will no longer receive security updates after 14 January 14, 2020," he explained.