Google Project Zero have released details of a proof-of-concept security certificate that, when processed by Windows, causes the code to go into a continuous loop. This loop will often require a reboot.
The vulnerability had previously been reported to Microsoft, who were given a 90-day deadline in which to fix it. Unfortunately, Microsoft, although originally planning to roll a fix this month, postponed the fix until July. Therefore, Google went public.
If you haven’t checked the latest updates, featured in the Patch Tuesday roll-out on 11/6/19, then you might want to have a look. Microsoft, Adobe, Intel and SAP have all emitted security fixes.
There have been 88 CVE-listed flaws addressed by Microsoft, 4 of which fix elevation-of-privileges vulnerabilities found in Windows Shell, Task Scheduler, Windows Installer and AppX Deployment service.
There are also patches for critical remote code in Edge and IE, along with other fixes to scripting engines which allow the execution of malicious code. There is also a fix for a DoS bug, which whilst not normally severe, it can affect IIS servers which face the public internet.
Holes have been patched in Hyper-V, which if exploited allows the attacker to escape the virtual machine and thus run malicious code on the host.
Adobe have fixed vulnerabilities to stop the exploitation of malicious code in Flash Player, Campaign Classic and Cold Fusion.
SAP have released 11 patches to address issues in HANA Solutions manager, including information disclosure bugs that allow the creation of new privileged accounts, and a cross scripting flaw in Business Objects.