"Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update"

Microsoft has patched 48 new vulnerabilities in its products, including one that attackers are actively exploiting and another that was publicly disclosed but is not currently being exploited. Six of the vulnerabilities addressed in the company's final monthly security update for the year are classified as critical. It assigned an important severity rating to 43 vulnerabilities and a moderate severity rating to three flaws. Microsoft's update includes patches for out-of-band CVEs addressed in the previous month, as well as 23 vulnerabilities in Google's Chromium browser technology. The flaw being actively exploited by attackers is not one of the more serious bugs patched. The flaw allows attackers to circumvent the Windows SmartScreen security feature, which protects users from malicious files downloaded from the Internet. According to Microsoft, an attacker can create a malicious file that can evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features that rely on MOTW tagging, such as Protected View in Microsoft Office. According to Kevin Breen, Immersive Labs' director of cyber threat research, this flaw poses only a minor risk to organizations as it must be used together with an executable file or other malicious code, such as a document or script file. In these cases, this CVE bypasses some of Microsoft's built-in reputation scanning and detection, specifically SmartScreen, which would normally alert a user that the file may not be safe. However, users should not underestimate the threat and should patch the flaw as soon as possible. Another flaw, an elevation of privilege issue in the DirectX Graphics kernel, was described by Microsoft as a publicly known zero-day but not actively exploited. The vulnerability, labeled as important, would allow an attacker to gain system-level privileges if exploited. This article continues to discuss some of the vulnerabilities addressed in Microsoft's final Patch Tuesday of the year.

Dark Reading reports "Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update"