Lucene search

threatpostTom SpringTHREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180
HistoryNov 12, 2019 - 9:35 p.m.

Microsoft Patches RCE Bug Actively Under Attack

Tom Spring

0.971 High




A critical bug in a Microsoft scripting engine, under active attack, has been patched as part of Microsoft’s Patch Tuesday security roundup.

The vulnerability exists in Internet Explorer and allows an attacker to execute rogue code if a victim is coaxed into visiting a malicious web page, or, if they are tricked into opening a specially crafted Office document.

“An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker…could take control of an affected system,” Microsoft wrote in its advisory.

Under an Office document attack scenario, Microsoft said an adversary might embed an ActiveX control marked “safe for initialization” in an Office document. If initialized, the malicious document could then directed to a rogue website, booby-trapped with specially crafted content that could exploit the vulnerability.
The bug (CVE-2019-1429), first identified by Google Project Zero, is believed to be actively exploited in the wild, according to the computing giant.

November Patch Tuesday Tackles Additional Critical and Important Bugs

In total, Microsoft issued 75 CVEs that included 11 critical and 64 important.

One of the critical bugs includes an Excel security feature bypass flaw (CVE-2019-1457) which was publicly disclosed at the end of October and exploited as a zero-day.

“[This] is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents,” explained Satnam Narang, senior research engineer at Tenable, in an email analysis of Patch Tuesday. “An attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format, and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac.”

Earlier this month, Microsoft warned that malicious SYLK files are sneaking past endpoint defenses even when the “disable all macros without notification” function is turned on. This leaves systems vulnerable to a remote, unauthenticated attackers who can execute arbitrary code.

“XLM macros can be incorporated into SYLK files,” wrote the United States Computer Emergency Readiness Team in a warning earlier this month. “Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users.”

Microsoft Trusted Platform Module Guidance and Housecleaning

The Patch Tuesday advisories also included non-CVE updates such as one regarding a vulnerability in Trusted Platform Module (TPM) chipset. The TPM vulnerability is a third-party bug not connected to the Windows operating system.

“Currently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm. Therefore if your system is affected [it] requires the installation of TPM firmware updates,” wrote Microsoft in its advisory, ADV190024.

The vulnerability weakens key confidentiality protection for the Elliptic Curve Digital Signature Algorithm or ECDSA. The technology is used for a variety of different applications such as a Bitcoin-related app where it is leveraged to ensure that funds can only be spent by their rightful owners.

Chris Goettl, researcher with Ivanti, said this November Patch Tuesday should also serve as a reminder to a number of key Windows end-of-life dates.

“There are some Windows end-of-life dates that users should be aware of both this month and coming in January,” Goettl wrote. He added there are “some additional details on extended support for Windows 7 and Server 2008\2008 R2 from a blog post in November that discuss how to get access and ensure your systems are prepared for extended support if you are continuing on.”

_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _Threatpost webinar_, “Trends in Fortune 1000 Breach Exposure.” _Click here to register.