Microsoft’s Patch Tuesday updates for November 2019 address over 70 flaws, including an Internet Explorer issue (CVE-2019-1429) that has been exploited in attacks in the wild.

Microsoft’s Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn’t provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time.

The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.” read the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability could be exploited by an attacker to execute arbitrary code in the context of the current user by tricking the victims into visiting a specially crafted website with a vulnerable IE browser or into opening a weaponized Office document.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.” continues the advisory “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Microsoft addressed the flaw by modifying how the scripting engine handles objects in memory, the company has not identified any workarounds or mitigating factors for this issue.

Microsoft has credited Ivan Fratric from Google Project Zero, Clément Lecigne from Google’s Threat Analysis Group, an anonymous researcher from iDefense Labs, and Resecurity for reporting the issue.

Microsoft’s Patch Tuesday updates for November 2019 addressed security issue in Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based), ChakraCore, Office and Office Services and Web Apps, Open Source Software, Exchange Server, and Visual Studio.

Of these 74 CVEs addressed by Microsoft, 13 are rated Critical and 61 are rated Important in severity. 15 vulnerabilities were reported through the ZDI program.

According to Trend Micro’s Zero Day Initiative (ZDI), several threat groups could start exploiting the CVE-2019-1429 zero-day now that the patch has been released and that it is possible to make a reverse-engineering of the fix.

Microsoft also addressed a remote code execution vulnerability, tracked as CVE-2019-1373, in Microsoft Exchange. The vulnerability resides in the deserialization of metadata via PowerShell. An attacker could exploit this vulnerability by tricking victims into running cmdlets via PowerShell.

“While this may be an unlikely scenario, it only takes one user to compromise the server. If that user has administrative privileges, they could hand over complete control to the attacker.” reads a post published by ZDI.

Other critical vulnerabilities addressed by Microsoft impact Windows, Internet Explorer, and Hyper-V.

“Looking through the Critical-rated patches, the updates for Hyper-V stand out the most. Five separate code execution bugs receive patches this month, and each could allow a user on the guest OS to execute code on the underlying host OS,” ZDI concludes.

Pierluigi Paganini