UPDATE
Microsoft has added a fresh CVE to its security portal, linking it to the existing November security updates (the patch itself was already included in the updates, but not specifically named). The CVE describes a vulnerability in SharePoint Server.
According to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks.
“An information disclosure vulnerability exists in SharePoint Server. An attacker who exploited this vulnerability could read arbitrary files on the server,” according to the advisory, published on Tuesday. “To exploit the vulnerability, an attacker would need to send a specially crafted request to a susceptible SharePoint Server instance.”
The reading pane is not an attack vector, the computing giant added.
The patch addresses the important-severity vulnerability by changing how affected APIs process requests. Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1 and Microsoft SharePoint Server 2019 are impacted; Saif ElSherei of Microsoft Research Center’s Vulnerabilities and Mitigations Team is credited with discovering the bug.
The CVE has been added to the computing giant’s existing stash of Patch Tuesday security updates.
December’s Patch Tuesday was relatively light, and it delivered just 37 CVEs (including the new one) across a range of products. The scheduled security update this month in all now includes patches for Microsoft Windows, Internet Explorer, Microsoft Office and related apps, SQL Server, Visual Studio and Skype for Business; it addressed seven bugs that are rated critical, 29 that are rated important (including the new bug), and one rated moderate in severity.
One of the updates is a fix for a bug that was first seen being exploited in the wild as a zero-day. CVE-2019-1458 is an elevation-of-privilege vulnerability in Win32k; the exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said.
This post was updated at 10:50 a.m. ET on Dec. 19 to correct the statement that this was an “out-of-band” security patch. CISA/US-CERT mistakenly issued an alert using that language, leading to confusion on the part of this reporter and many others. We apologize for the error.