Microsoft fixes IE zero-day in November Patch Tuesday

Intel and Adobe add to the update fiesta

Microsoft's latest Patch Tuesday updates collectively fix 74 flaws, 13 of which it classifies as critical.

Among the resolved security bugs is a scripting engine memory corruption vulnerability in Internet Explorer that’s been recorded as under active attack.

The vulnerability (CVE-2019-1429) arises because of a memory corruption flaw in the scripting engine of the browser that can be abused to achieve remote code execution (RCE).

Exploitation involves tricking a user into visiting a malicious web page or opening a specially crafted Office document.

Because of the way IE is integrated into Windows, the patch is needed even for those who don’t use IE as their main browser.

An RCE vulnerability in VBScript (CVE-2019-1390) is also on the critical list.

Very little additional information on this bug is available beyond confirmation that the flaw stems from bugs in the “way that the VBScript engine handles objects in memory”.

Return of the Mac

Microsoft has addressed a lesser but nonetheless noteworthy flaw in how Office for Mac handles legacy format files, as reported by The Daily Swig earlier this week.

The bug impacted all current versions of the suite and not just the obsolete Office for Mac 2011.

Satnam Narang, senior research engineer at Tenable, commented: “CVE-2019-1457, which was publicly disclosed at the end of October, is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents.

“An attacker would need to create a specially crafted Excel document using the SYLK (Symbolic Link) file format and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac.

“Successful exploitation would allow an attacker to execute arbitrary code on the victim’s system,” he added.

The patch batch also fixed flaws in various Windows components, the most notable of which resolved an information disclosure bug in the TCP/IP stack due to improperly handled IPv6 flow labels in packets.

A patching matrix from the SAN Institute’s Internet Storm Centre and analysis from Trend Micro’s Zero Day Initiative (ZDI) provides additional information about the latest patch batch from Microsoft.

Elsewhere Adobe released four patches for Adobe Animate CC, Illustrator CC, Bridge CC, and Media Encoder, respectively. The patch batch collectively addresses 11 vulnerabilities.

Intel has released security updates designed to resolve vulnerabilities in multiple products in what’s billed as the first of what will become a monthly update cycle.

The most noteworthy of the batch addresses a ZombieLoad side-channel attack variant flaw affecting Intel processors.

And, not to be outdone, VMWare has also pushed out a raft of security fixes.