Microsoft’s December patch update is relatively small judged by the number of vulnerabilities it fixes but there are a host of critical scripting engine flaws that affect Windows 10 Edge and Internet Explorer 11.
Indeed, all but one of 20 critical flaws fixed in the December update are caused by scripting engine memory corruption vulnerabilities found in Microsoft’s browsers. And 10 of the scripting engine flaws were reported by Google's Project Zero researchers.
Microsoft started rolling out a fix for the other critical flaw last week after the National Cyber Security Centre (NCSC), a unit of UK spy agency GCHQ, reported two remote code execution flaws in the Microsoft Malware Protection Engine, the scanning engine at the core of several Microsoft security products, including Windows Defender.
An attacker who knew how to exploit the bug could compromise a system by convincing a user to open a specially crafted file. The impact would be worse for systems with real-time protection enabled as the engine, by default, would automatically scan the specially crafted file.
Though Microsoft issued updates for the engine before Patch Tuesday, Zero Day Initiative’s Dustin Childs, formerly of Microsoft’s Trustworthy Computing unit, notes that this was not an out-of-band. That’s because Microsoft updates the engine as needed, multiple times a month, and not necessarily in-line with the Patch Tuesday cycle.
Still, given that that the bug wasn’t under attack, he says the unexplained early disclosure “definitely has an odd vibe to it, even if it isn’t that odd.”
Another important advisory Microsoft released in December was one that disabled some features of the DDE protocol in supported versions of Word.
This was an update to an advisory Microsoft published in November explaining how to disable DDE in Word, Outlook, and Excel due the hacking group Fancy Bear using the protocol in targeted Office attacks to deliver PowerShell script that downloads spyware.
The new advisory was a defense-in-depth measure aimed at DDE just in Word. The update didn’t disable DDE but rather disabled auto-update for any linked fields in Word.
Other affected products fixed in the December update include Windows, Office, SharePoint, and Exchange.