November's Patch Tuesday is upon us and, this month, Microsoft addressed 74 vulnerabilities of which one Internet Explorer vulnerability (CVE-2019-1429) has been seen under active exploitation. By prioritizing the released Microsoft Windows and Internet Explorer patches, the door to 58 of the 74 vulnerabilities will be closed off. Also, for the second month in a row, this Patch Tuesday sees an absent security update from Adobe for Adobe Flash Player which had previously been a monthly staple. This does align with the article surrounding Microsoft’s approach in ending Adobe Flash’s support on December 31, 2020.

The mentioned exploited remote code execution vulnerability in Internet Explorer (CVE-2019-1429) has the potential to corrupt objects in memory allowing for code execution under the context of the current user. Be wary of suspicious websites that may be embedding ActiveX controls even if marked "safe for initialization". But the common theme here is to practice safe browsing and good security hygiene (which includes patching whenever possible).

Only one vulnerability was previously disclosed this month. CVE-2019-1457 describes a security feature bypass vulnerability on Microsoft Excel 2016 and 2019 for Mac where the macro setting is not enforced. Luckily, this does not get triggered via a Preview Pane nor does it directly allow for arbitrary code execution.

In response to advisories set out by Intel on November 12, 2019, Microsoft provided additional mitigations for a Denial of Service vulnerability (CVE-2018-12207) and an Information Disclosure vulnerability (CVE-2019-11135). While protections are enabled by default for both client and server Windows operating systems for CVE-2019-11135, protections for CVE-2018-12207 require additional steps (for Hyper-V hosts) on top of the security patch to fully mitigate. On the brighter side of things, an attacker would need to log in and run a specially crafted application in order to perform this denial of service attack (or trick a user in opening the specially crafted application).

Outside our staple vulnerability fixes for operating systems, browsers, and the office suite, November's Patch Tuesday provides fixes for a privilege elevation vulnerability in Visual Studio and Visual Studio Code (CVE-2019-1425 and CVE-2019-1414 respectively), a remote code execution vulnerability in Exchange (CVE-2019-1373) possible only via running cmdlets through PowerShell, and an information disclosure vulnerability (CVE-2019-1443) for SharePoint Server and SharePoint Foundation.

Finally, while no Windows systems use the vulnerable algorithm of CVE-2019-16863, Microsoft released Security Advisory 190024 for a Trusted Platform Module (TPM) firmware vulnerability to remind those affected that even after an update to TPM firmware, it might be necessary to re-enroll in security services. There were no additional patches associated with that advisory.

2019-Nov_count_by_component
2019-Nov_count_by_impact
2019-Nov_count_by_severity
2019-Nov_cvss3_distribution

Note: not all CVEs had CVSSv3 data available at the time of writing