Expert On Microsoft’s November 2019 Patch Tuesday Fixes IE Zero-day, 74 Flaws

With the release of the November 2019 security updates, Microsoft has released 2 advisories and updates for 74 vulnerabilities. Of these vulnerabilities, 13 are classified as Critical. The November 2019 Patch Tuesday also fixes a critical remote code execution vulnerability in Internet Explorer that was being actively exploited in the wild.


EXPERTS COMMENTS
Satnam Narang, Senior Research Engineer,  Tenable
November 14, 2019
CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office.
This month’s Patch Tuesday release contains updates for nearly 75 CVEs. One of the vulnerabilities, CVE-2019-1429, was first exploited in the wild as a zero day and could enable an attacker to execute arbitrary code under the same privileges of the current user. If the user has administrative rights, an attacker would be able to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data. An attacker would need to convince a user to visit a website containing the exploit code using Internet Explorer in order to exploit the flaw. CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents. An attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac. Successful exploitation would allow an attacker to execute arbitrary code on the victim’s system.

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article