Microsoft has released today the December 2019 Patch Tuesday security updates. This month's updates include fixes for 36 vulnerabilities, including a zero-day in the Windows operating system that has been exploited in the wild.
"An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory," Microsoft said in a security advisory today.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," it added. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Microsoft credited security researchers from Kaspersky Lab with discovering the zero-day, which it tracks as CVE-2019-1458[1].
Dustin Childs, a member of Trend Micro's Zero Day Initiative (ZDI), believes this Windows zero-day is connected to a zero-day that Google patched in Chrome[2] at the end of October (namely CVE-2019-13720).
"[Kaspersky] reported a UAF in Chrome that was under active exploit," Childs said. "When that [Chrome] bug became public, there was speculation it was being paired with a Windows kernel bug to escape the sandbox.
"While it's not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape," he added.
According to Kaspersky, the Chrome zereo-day was being used by a hacker group called WizardOpium[3] to lure users on malicious sites, where they'd use the Chrome zero-day to infect them with malware.
As it's in Kaspersky tradition, the company will most likely publish a blog post tomorrow, explaining how this new Windows zero-day was being used. We'll update our coverage accordingly, once Kaspersky blog post goes live.
Other fixes
In total, Microsoft fixed 36 security bugs this month, of which only seven were rated critical.