Microsoft released a total of 36 patches for December’s Patch Tuesday. Decembers tend to have a relatively low number of patches, and the last Patch Tuesday of the 2010s was no different. Seven of the 36 patches were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products, including Windows, Internet Explorer, Office, Hyper-V Server, and SQL Server. None of the fixed vulnerabilities were disclosed to the public before patching, although one was under active attack at the time of the patch.
Here’s a more detailed look at the notable vulnerabilities that have been patched in December:
XSS vulnerability in SQL Server Report Manager
CVE-2019-1332 is a cross-site scripting (XSS) vulnerability in SQL Server Report Manager. If successfully abused, an attacker could steal web cookies, hijack web sessions. This vulnerability can also potentially allow unauthorized access to the affected computer.
Remote Desktop Protocol vulnerability
CVE-2019-1453, a denial of service vulnerability in Remote Desktop Protocol (RDP), is triggered when an attacker connects to the target system using RDP and sends specially crafted requests. Upon successful execution, an attacker could cause the RDP service on the target system to stop responding.
RCE vulnerability in PowerPoint
CVE-2019-1462 is an RCE vulnerability that can let an attacker run arbitrary code in the context of the current user. A current user logged on with administrative user rights can allow an attacker to ta ..