Microsoft Patches Just 36 Flaws in December
Microsoft has taken pity on system administrators by ending the year with a relatively light patch load fixing just 36 vulnerabilities.
The update round includes seven critical flaws and one being actively exploited in the wild: CVE-2019-1458, a privilege escalation vulnerability in the Win32k component.
Although it’s only listed as “important,” security experts urge admins to prioritize a fix for that bug. Recorded Future intelligence analyst, Allan Liska explained that an exploit for a similar vulnerability, CVE-2019-0859, was found being sold on underground markets earlier this year.
In this attack scenario an attacker would need to convince a developer to clone a malicious repository. This may be tricky, but the rewards are potentially big, according to Ivanti director of security solutions, Chris Goettl.
“This is a spear phishing escalation of privilege into the engineering group. Hypothetically a threat actor could target a software vendor or service provider. If they know enough about the vendor’s platform and have access to a list of email addresses for those developers, they could create a spear phishing campaign to target these users and attempt to convince them to access their malicious repository,” he explained.
“It is very common for developers to share code across or to ask someone to debug an issue they are seeing. If an unsuspecting developer connects to the repository from someone they think they trust, then an attacker can gain control of their development environment.”
Elsewhere yesterday, Google released an update for its Chrome browser which resolves 51 vulnerabilities, while Adobe fixed 21 flaws in its Reader product.
Experts were also keen to point out that there’s just one scheduled monthly patch update round left before Windows 7 and Server 2008/2008 R2 reach end-of-life. After that time, any organization still running the products without adequate security in place or with extended support from Microsoft will be at risk from newly discovered flaws.
Source: Information Security Magazine