Patch Tuesday Fixes Zero-Day Flaw, As Windows 7 Cut Off Looms

Microsoft has released the December edition of its Patch Tuesday security update, that fixes a zero-day flaw with the Windows operating system.

Redmond has resolved 36 vulnerabilities with its last patch update of 2019, one of which is confirmed to be exploited in the wild. Of the 36 vulnerabilities, 7 are rated as critical, 27 important, 1 moderate, and one is low in severity.

The latest security updates comes amid a looming deadline of the end of life for Windows 7 and Server 2008/2008 R2, as Microsoft will stop providing support for these platforms in January 2020. That said, Windows 7 is said to be down to 27 percent of desktop versions worldwide, so systems administrators face a busy month ahead if planning migrations.

Patch Tuesday

With only seven vulnerabilities being labelled as critical, security experts agree this month’s Patch Tuesday update is relatively light.

“Five of the seven Critical vulns are in Git for Visual Studio,” said Jimmy Graham, senior director of product management at Qualys. “The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets.”

“Win32k patches (CVE-2019-1468 and CVE-2019-1458) should be prioritised for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users,” said Graham.

Though ranked as important, Microsoft warned CVE-2019-1458 is actively attacked in the wild.

There is a remote code execution vulnerability (CVE-2019-1471) that has been patched in Hyper-V that would allow an authenticated user on a guest system to run arbitrary code on the host system.

Microsoft also patched 5 vulnerabilities (CVE-2019-1354, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387, and CVE-2019-1349) in Git for Visual Studio.

Graham from Qualys also pointed out that Adobe’s Patch Tuesday covers Acrobat/Reader, ColdFusion, Photoshop, and Brackets that resolve 21 vulnerabilities in total.

Windows 7 support

Chris Goettl, director of security solutions at Ivanti meanwhile pointed out that Google has released an update for Chrome that resolves 51 vulnerabilities, and he highlighted the end of life issue for Windows 7 users.

“It is December Patch Tuesday! There are 14 shopping/patching days left until Christmas and one Patch Tuesday until Microsoft ends support for Windows 7 and Server 2008/2008 R2,” he said.

He also highlighted CVE-2019-1458 patch as the flaw is being exploited in the wild, and noted that Microsoft also released details on an XP SP3 vulnerability (CVE-2019-1489), but no patch will be forthcoming.

“Google has released an update for Chrome, resolving 51 vulnerabilities and Adobe has also released several updates; Adobe Reader is the most concerning with 21 vulnerabilities being resolved,” said Goettl. “An Adobe Flash Player release was issued today but is not security related.”

Quiz: How well do you know Microsoft?