Lucene search

talosblog[email protected] (Jon Munshaw)TALOSBLOG:D617C7EFD22C4CD2ECFE1B030BD80B0E
HistoryNov 12, 2019 - 11:58 a.m.

Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage

[email protected] (Jon Munshaw)





By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered “critical,” with the rest being deemed “important.”

This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities

Microsoft disclosed 13 critical vulnerabilities this month, nine of which we will highlight below.

CVE-2019-0721, CVE-2019-1389, CVE-2019-1397 and CVE-2019-1398 are all vulnerabilities in Windows Hyper-V that could allow an attacker to remotely execute code on the victim machine. These bugs arise when Hyper-V on a host server improperly validates input from an authenticated user on a guest operating system. An attacker can exploit these vulnerabilities by running a specially crafted application on a guest OS. This could allow a malicious user to escape the hypervisor or a sandbox.

CVE-2019-1390 is a remote code execution vulnerability in VBScript. This vulnerability could allow an attacker to corrupt memory in a way that would enable them to execute remote code in the context of the current user. A user could trigger this vulnerability by visiting an attacker-created website while using the Internet Explorer browser, or by opening an Office document or application that contains an ActiveX control marked “safe for initialization.”

CVE-2019-1426, CVE-2019-1427, CVE-2019-1428 and CVE-2019-1429 are memory corruption vulnerabilities in the Microsoft Scripting Engine that could lead to remote code execution. The bugs exist in the way the Microsoft Edge web browser handles objects in memory. A user could trigger these vulnerabilities by visiting an attacker-controlled website in Edge.

The four other critical vulnerabilities are:

Important vulnerabilities

This release also contains 62 important vulnerabilities, one of which we will highlight below.

CVE-2019-1020 is a security feature bypass vulnerability in the Windows secure boot process. An attacker could run a specially crafted application to bypass secure boot and load malicious software. This security update fixes the issue by blocking vulnerable third-party bootloaders. An update also needs to be applied to Windows Defender.

The other important vulnerabilities are:


In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on

These rules are: 46548, 46549, 52205 - 52209, 52212, 52213, 52216, 52217 - 52225, 52228 - 52234, 52239, 52240