Patch Tuesday Fixes Zero-Day Flaw, As Windows 7 Cut Off Looms

Microsoft has released the December edition of its Patch Tuesday security update, that fixes a zero-day flaw with the Windows operating system.

Redmond has resolved 36 vulnerabilities with its last patch update of 2019, one of which is confirmed to be exploited in the wild. Of the 36 vulnerabilities, 7 are rated as critical, 27 important, 1 moderate, and one is low in severity.

The latest security updates comes amid a looming deadline of the end of life for Windows 7 and Server 2008/2008 R2, as Microsoft will stop providing support for these platforms in January 2020. That said, Windows 7 is said to be down to 27 percent of desktop versions worldwide, so systems administrators face a busy month ahead if planning migrations.

Patch Tuesday

With only seven vulnerabilities being labelled as critical, security experts agree this month’s Patch Tuesday update is relatively light.

“Five of the seven Critical vulns are in Git for Visual Studio,” said Jimmy Graham, senior director of product management at Qualys. “The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets.”

“Win32k patches (CVE-2019-1468 and CVE-2019-1458) should be prioritised for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users,” said Graham.

Though ranked as important, Microsoft warned CVE-2019-1458 is actively attacked in the wild.

There is a remote code execution vulnerability (CVE-2019-1471) that has been patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system.

Microsoft also patched 5 vulnerabilities (CVE-2019-1354, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387, and CVE-2019-1349) in Git for Visual Studio.

Graham from Qualys also pointed out that Adobe’s Patch Tuesday covers Acrobat/Reader, ColdFusion, Photoshop, and Brackets that resolve 21 vulnerabilities in total.

Windows 7 support

Chris Goettl, director of security solutions at Ivanti meanwhile pointed out that Google has released an update for Chrome that resolves 51 vulnerabilities, and he highlighted the end of life issue for Windows 7 users.

“It is December Patch Tuesday! There are 14 shopping/patching days left until Christmas and one Patch Tuesday until Microsoft ends support for Windows 7 and Server 2008/2008 R2,” he said.

He also highlighted CVE-2019-1458 patch as the flaw is being exploited in the wild, and noted that Microsoft also released details on an XP SP3 vulnerability (CVE-2019-1489), but no patch will be forthcoming.

“Google has released an update for Chrome, resolving 51 vulnerabilities and Adobe has also released several updates; Adobe Reader is the most concerning with 21 vulnerabilities being resolved,” said Goettl. “An Adobe Flash Player release was issued today but is not security related.”

Quiz: How well do you know Microsoft?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

NHS Covid-19 Tracing App For England, Wales, Nears Launch

Date for limited rollout of delayed NHS track and trace app for England and Wales…

3 days ago

Coronavirus: Facebook Staff To Work From Home Until July 2021

Facebook follows Google lead by extending right of staffers to work from home until July…

3 days ago

Canon Suffers Ransomware Attack, With 10TB Of Data Stolen – Report

Report suggests Canon has been crippled with a ransomware attack with allegedly 10TB of data,…

4 days ago

Uber Expands UK Reach With Autocab Buy

Amid consolidation in the taxi sector caused by Coronavirus lockdown, Uber purchases British rival Autocab…

4 days ago

TikTok Selects Ireland For First European Data Centre

Ireland to get another data centre after the Chinese-owned short video app TikTok announces first…

4 days ago