Microsoft patches 74 vulnerabilities, including one zero-day, in November 2019 Patch Tuesday update

Thirteen vulnerabilities are rated as 'critical'

Microsoft has released its November 2019 Patch Tuesday update, addressing a total of 74 security vulnerabilities across nine products/platforms.

Of the 74 security flaws fixed, 13 are classified as 'critical', while the rest are 'important' bugs.

The November update includes a patch for a zero-day flaw in the Internet Explorer (IE) scripting engine which, according to Microsoft, is currently being exploited in the wild.

Indexed as CVE-2019-1429, the bug could allow hackers to remotely execute some arbitrary code on vulnerable systems. Because the bug exists in IE's scripting engine, attackers can use malicious Office documents to execute the code. However, that would happen only if the user has permitted display of rich content on the system.

An attacker, after successfully exploiting the bug, could gain the same user rights as the current user. That means an attacker with administrative user rights can install/delete programmes; view/modify/delete data; and also create new accounts with full admin rights.

This particular security bug was reported by researchers from three different entities: Google, Resecurity, and iDefense Labs. However, none of them revealed any detail about the attacks where the zero-day was discovered.

Microsoft has also fixed a vulnerability in Microsoft Office for Mac that allows hackers to circumvent security restrictions.

Indexed as CVE-2019-1457, this bug causes XLM macros in SYLK files to be executed without users' knowledge, if "Disable all macros without notification" option in Microsoft Excel for Mac is enabled.

Macros are the pieces of computer codes that can be implanted into Office files. Hackers frequently use malicious macros to infect Windows systems. They send booby-trapped document to potential targets through email, and when a user opens those documents, they are prompted to "enable macros."

Microsoft also released two advisories providing details about a new Servicing Stack Update for Windows 10 and a security bug in Trusted Platform Modules (TPM). The bug in TPM is a third-party bug, and is not connected to the Windows OS.

Last month, Microsoft patched a total of 59 vulnerabilities, including nine critical vulnerabilities, in its monthly security update.

Earlier in September, the software maker had addressed 80 vulnerabilities, including 17 'critical' vulnerabilities.