Microsoft releases monthly patch in December–also supports zero-day vulnerability in Windows

Microsoft released the monthly security patch "Patch Tuesday" on December 10th, December 2019. In December Patch Tuesday, 36 vulnerabilities were fixed, including the zero-day vulnerability of the “Windows” operating system that was actually exploited.

Microsoft is a zero-day vulnerability [CVE-2019-1458”Explains that there is a vulnerability in Windows that allows elevation of privilege if a Win32k component fails to properly handle an object in memory.

“An attacker who successfully exploited this vulnerability could execute arbitrary code in kernel mode. The attacker could then install a program, view data, modify, delete, etc. Or create a new account with user privileges. "

Microsoft thanked Kaspersky Lab security researchers who discovered this zero-day vulnerability.

Dustin Childs, a member of Trend Micro's Zero Day Initiative [ZDI], said that Google ’s recently fixed zero-day vulnerability in Google Chrome [CVE-2019-13720] It seems to have seen.

Childs said, “[Kaspersky] reported a use-after-release [UAF] vulnerability that is actively exploited in Chrome. When that bug [Chrome] was announced, it combined with a bug in the Windows kernel “ There was speculation that it might be avoiding the sandbox. ''To sayYes.

”“ The relevance of this patch to Chrome attacks has not been confirmed, but this is a type of bug that is used to avoid sandboxes ”[Children]

According to Kaspersky, this zero-day vulnerability in ChromeExploited by a hacker group called WizardOpiumThat's it. WizardOpium directs users to malicious sites and uses this vulnerability to infect malware.

KasperskyIn the official blog, these two zero-day vulnerabilities are relatedAnd proved Mr. Childs's theory.

Microsoft fixed a total of 36 security vulnerabilities in December. Seven were rated as serious.

Also, Win32k Graphics remote code execution vulnerability [CVE-2019-1468] Or "Hyper-V" remote code execution vulnerability [CVE-2019-1471] Has also been corrected.

Other useful information about security updates such as December is summarized below.

This article is from overseas CBS InteractivearticleEdited by Asahi Interactive for Japan.

Source link

Do you like this article??

Show More

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button