Welcome back to this week's Security Bulletin!
Let's start this week's updates with the "Microsoft Patch Tuesday" November edition. In addition to two security advisories, Microsoft has patched 74 vulnerabilities in this update including 15 vulnerabilities with critical impact. One issue addressed in this patch is a Remote Code Execution vulnerability in the scripting engine with the aid of memory corruption. It was disclosed in the "Pwn2Own" contest held in Tokyo this month, which is an annual hacking contest conducted by the CanSecWest Applied Security Conference. There are reports of active exploitation of this vulnerability, which is being tracked with CVE-2019-1429 and all current versions of Windows or Internet Explorer are affected and should be patched immediately. Another vulnerability that was released publically, but fortunately not exploited is with Microsoft Office ‘Click to Run’ system which under the right, or say wrong circumstances can be used for privilege escalation and execute code as the admin user.
Facebook and User Privacy are seldom on the same page. The company was also hit with a data privacy scandal of harvesting Personally Identified Information of a whopping 87 million users for targeted advertising. The company is back in the news after several users reported an unusual behavior of the Facebook app for the iPhone, their camera gets turned on while they were scrolling their feeds. Guy Rosen, the VP of Integrity at Facebook responded to this matter after several users tweeted the issue. Facebook has patched this issue with a new release in the app store and they claim that none of the images or photos were uploaded due to this bug.
Earlier this year Intel CPUs were impacted by the side-channel attack known as ZombieLoad. This attack exploited the speculative execution mechanism of CPUs, which ideally improves the CPU performance by guessing the instruction needed for a specific task, to exfiltrate data. Now the researchers who discovered the attack have published an article on a new variant of this attack, ZombieLoad v2, to which the latest Cascade Lake CPUs are also vulnerable. Intel terms this vulnerability as Transactional Asynchronous Abort, which is designated with CVE-2019-11135 and applies to newer CPUs. They have published a list of affected products in an advisory and recommends users of these products to "update to the latest firmware version provided by the system manufacturer that addresses these issues."