December 10, 2019

Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.

By nearly all accounts, the chief bugaboo this month is CVE-2019-1458, a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859, a Windows flaw reported in April that was found being sold in underground markets.

CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.

Chris Goettl, director of security at Ivanti, called attention to a curious patch advisory Microsoft released today for CVE-2019-1489, which is yet another weakness in the Windows Remote Desktop Protocol (RDP) client, a component of Windows that lets users view and manage their system from a remote computer. What’s curious about this advisory is that it applies only to Windows XP Service Pack 3, which is no longer receiving security updates.

“The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to ‘No’ as the bulletin was released today,” Goettl said. “If you look at the Zero Day from this month (CVE-2019-1458) the EA for Older Software Release is ‘0 – Exploitation Detected.’ An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.”

Microsoft didn’t release a patch for this bug on XP, and its advisory on it is about as sparse as they come. But if you’re still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched many critical RDP flaws in the past year. Even the FBI last year encouraged users to disable it unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.

Speaking of no-longer-supported Microsoft operating systems, Windows 7 and Windows Server 2008 will cease receiving security updates after the next decade’s first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Windows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don’t have to accept this default setting. Windows Central has a useful guide on how to disable or postpone automatic updates until you’re ready to install them. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.

Finally, once again there are no security updates for Adobe Flash Player this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its Acrobat and PDF Reader that fix more than 20 vulnerabilities in these products. Photoshop and ColdFusion 2018 also received security updates today. Links to advisories here.

69 thoughts on “Patch Tuesday, December 2019 Edition

  1. Kevin

    Windows 7 – Slow Boot – Stuck at … “Applying computer Settings…” Prior to login

    Each restart is taking between 10-50 minutes to get to login screen. All windows 7 users effected.

    Under windows updates there is nothing new installed. Yet looking at the restore points one has been created!

    Posted here in case anyone finds a fix

    1. ASitte

      Not trying to troll you or anyone else supporting Win7 but this fact should be foremost on any system administrators mind:

      Win 7 EOL = 14 Jan 2020

      I highly recommend anyone still supporting Win7 systems to spend their limited and valuable time and resources on upgrade/replacement of those very soon to be unsupported systems.

      Same for Win2008 server environments.

      1. J

        Windows 7 will continue to receive paid updates for three years after EOL, and I’m sure people will find a way to receive those for free if Microsoft doesn’t give in and do it themselves.

        I’ve updated most of my systems to Win10 but I have one that needs some extra TLC and that’ll probably take me a few more months to migrate. I’ll probably put it on its own VLAN and see if I can get updates through other means.

  2. Jones

    My Windows 10 was too caught in the reboot screen, never finishing the update process, so I had to restore the system from advanced boot options to an earlier state.

  3. Mike Cottle

    Upgrading to Win10 presents a bit of a dilema for healthcare organizations who are subject to HIPAA. The only word from Microsoft on HIPAA compliance and Win10 was a paper they published with HIPAAOne in December 2017. However, there were reports that the suggestions made in this document failed to adequately secure the OS for true HIPAA compliance.

    The issues in question are primarily around Microsoft telemetry and its insistence on certain applications being in place (i.e.; Edge, OneNote, etc.). Efforts to interfere with the operation of these products/services often result in a broken OS.

    A covered entity (CE) cannot ignore the Microsoft document because that in itself would be grounds for non-compliance. However, if a CE goes no further than those recommendations they are running the risk of also being non-compliant as well.

    With that in mind cavalier suggestions to “upgrade or else” from well-meaning individuals fall flat.

    1. Justin

      I have blocked telemetry/redirected it in more than one company due to this concern. There are even instructions on how to perform this.

    2. Catwhisperer

      Recently my organization installed a FortiGate 201E. Blocking anything is possible, down to the granularity of a Facebook Like button. Any destination can be blocked, including those that you mention. Features like that don’t come cheap, though, at approximately $6500 including a year cloud and support subscription. You do get what you pay for though. Already found two visitor laptops with communication occurring to C&C servers. Blocked via the device MAC addresses until they get remediation…

    3. KoSReader600000

      I am a bit late but this problem is starting to raise its ugly head. I have two clients that are supposed to be HIPPA compliant and they are starting to ask questions about Win10. These clients have some Win10 and Win7 sp1/Win8.1 64 bit systems and are very concerned about medical privacy.

      “Upgrading to Win10 presents a bit of a dilema for healthcare organizations who are subject to HIPAA. The only word from Microsoft on HIPAA compliance and Win10 was a paper they published with HIPAAOne in December 2017. However, there were reports that the suggestions made in this document failed to adequately secure the OS for true HIPAA compliance.” -Mike Cottle

      That is essentially what I can find.

      For those of you on this site and others in the health care industry what is the exact situation with HIPPA and Win10 as of December 2019. The problems of Win10 updates [all windows updates this year] are bad enough but add in HIPPA compliance and things get much worse.

      Does anybody got specific information on this subject? It is very important, wide spread and should be thoroughly examined.

      1. Mike

        If you pay for an E5 Windows 10 License you get an additional year, which is how Healthcare are approaching this in England

  4. Heather Morris

    This update caused an “endless reboot” of two of our servers (identical Dell Poweredge T110 II). I ended up powering off, then when they came back up, they listed a message “Stage 5 of 5 Failure configuring Windows updates Reverting changes Do not turn off your computer.” Then, they were ok. Very nervewracking!

  5. Ruth Jenkins

    12/12/2019 patch update to Win 7 OS on a Toshiba laptop caused system crash. Microsoft StartupRepair to last setpoint failed, reporting a BadPatch. Details of failure included Adobe Reader, Adobe Flash plugin and Firefox.
    Toshiba system repair succeeded in bringing up Windows desktop, but attempts to boot Adobe Reader failed.
    Uninstalled Adobe Reader and Flash. Reinstalled it. Adobe loads, Firefox loads. Machine seems to work.

  6. Denise Nitterhouse

    7 MS Windows 7 December 2019 updates installed successfully on my Toshiba Portege R705 laptop, but the “2019-12 Security Monthly Quality Rollup for Windows 7 for x64-based systems (KB4530724) failed. Clicked “Try again” and it said downloading for an hour or so but never did. Retried and restarted computer multiple times, even tried downloading a “Servicing Stack update” but NOTHING has worked. Advice appreciated.

  7. Lily

    Just updated my Windows and I can’t do anything on my computer! I get to my desktop and then I can’t click on anything.

  8. Louise

    Update killed my desktop. It is useless. Will not boot at all even into safe mode. This has happened to me 3 times in the past year. I think my next computer will be a mac.

  9. JohnIL

    Some parts of the world people are poor and their hardware is old and the OS is outdated as well. Along with the software they use, but it all works well enough and they have little funds to replace all of it. Personally, I would rather see these people switch to a OS that is updated and secure than stick with a old unsupported Windows. I am not sure Windows 10 fixed a lot that is wrong with its fragmented ecosystem . At least not as much as Microsoft would have liked. We will still see many in enterprise doing critical work on a Win 7 machine, and even some using XP. We know it’s going to happen because we know some have no choice.

  10. Harvey

    What is Microsoft’s reasoning for not keeping current with Flash?

  11. David Muir

    This windows 10 update means I can’t use the computer. I tried rolling back to previous version, but still crashes. Have now done a complete reset, but still can’t log in. Just get black screen. What can I do next?

  12. Ken

    Win 7 runs fine without updates the problem’s are the updates. Not including Apps. Explorer is another issue.

  13. Carmelo Grajales

    I allowed the update to do is thing. But it could not complete and reverted. But in my case, it trashed my laptop. Just about unusable. Hangs up on everything. I don’t know what to do. Tried it a second time to see if it would repair itself. It repeated the same error and left me without a functioning system.

Comments are closed.