Microsoft released the monthly security patch "Patch Tuesday" on December 10th, December 2019. In December Patch Tuesday, 36 vulnerabilities were fixed, including the zero-day vulnerability of the “Windows” operating system that was actually exploited.
Microsoft is a zero-day vulnerability [CVE-2019-1458”Explains that there is a vulnerability in Windows that allows elevation of privilege if a Win32k component fails to properly handle an object in memory.
“An attacker who successfully exploited this vulnerability could execute arbitrary code in kernel mode. The attacker could then install a program, view data, modify, delete, etc. Or create a new account with user privileges. "
Microsoft thanked Kaspersky Lab security researchers who discovered this zero-day vulnerability.
Dustin Childs, a member of Trend Micro's Zero Day Initiative [ZDI], said that Google ’s recently fixed zero-day vulnerability in Google Chrome [CVE-2019-13720] It seems to have seen.
Childs said, “[Kaspersky] reported a use-after-release [UAF] vulnerability that is actively exploited in Chrome. When that bug [Chrome] was announced, it combined with a bug in the Windows kernel “ There was speculation that it might be avoiding the sandbox. ''To sayYes.
”“ The relevance of this patch to Chrome attacks has not been confirmed, but this is a type of bug that is used to avoid sandboxes ”[Children]
According to Kaspersky, this zero-day vulnerability in ChromeExploited by a hacker group called WizardOpiumThat's it. WizardOpium directs users to malicious sites and uses this vulnerability to infect malware.
KasperskyIn the official blog, these two zero-day vulnerabilities are relatedAnd proved Mr. Childs's theory.
Microsoft fixed a total of 36 security vulnerabilities in December. Seven were rated as serious.
Other useful information about security updates such as December is summarized below.
- Microsoft official portalSecurity Update Guide”Summarizes all security updates in a filterable table.
- ZDNet in the USPosted in one pagedoing.
- Cisco Talos,SANS ISC,Tenable,Trend MicroHas also released a commentary on the December monthly patch.
- Adobe-related security update informationThe company's official websiteAre explained in detail.
- SAP-related security updatesThe company's official websiteAre explained in detail.
- Intel related security update informationThe company's official websiteAre explained in detail.
- December 2019Android Security BulletinIs also released.
- A new version of Google Chrome has been released.
- Updates for “iOS” and “iPadOS” have also been released.
This article is from overseas CBS InteractivearticleEdited by Asahi Interactive for Japan.