With the release of the November 2019 security updates, Microsoft has released 2 advisories and updates for 74 vulnerabilities. Of these vulnerabilities, 13 are classified as Critical. The November 2019 Patch Tuesday also fixes a critical remote code execution vulnerability in Internet Explorer that was being actively exploited in the wild.
This month’s Patch Tuesday release contains updates for nearly 75 CVEs. One of the vulnerabilities, CVE-2019-1429, was first exploited in the wild as a zero day and could enable an attacker to execute arbitrary code under the same privileges of the current user. If the user has administrative rights, an attacker would be able to perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data. An attacker would need to convince a user to visit a website containing the exploit code using Internet Explorer in order to exploit the flaw.
CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents. An attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac. Successful exploitation would allow an attacker to execute arbitrary code on the victim’s system.