Slew of Critical Security Updates From Microsoft and Adobe
Patch or perish, March edition: Microsoft releases fixes for 65 new vulnerabilities, and Adobe issues a slew of updates, including patching a ColdFusion vulnerability being exploited in the wild.
On Tuesday, Microsoft issued updates that patch flaws in a number of products, including Microsoft Windows, the Internet Explorer and Edge browsers, Exchange Server and Microsoft Office Services and Web Apps. Other updates include fixes for ChakraCore, NuGet package manager, Team Foundation Services and the .NET Framework.
Of the Microsoft vulnerabilities, 18 are rated as critical, and 13 of them involve scripting engines or browser components contained in IE, Edge and Office.
Two of the vulnerabilities disclosed by Microsoft this month – CVE-2019-0797 and CVE-2019-0808 – merit rapid attention becayse they’re being exploited in the wild. The flaws were reported to Microsoft by Kaspersky Lab and Google’s Threat Analysis Group, which saw them being used by attackers.
“An exploit for CVE-2019-0808, in particular, was being chained with another then-zero-day vulnerability in Google Chrome (CVE-2019-5786) in attacks targeting Windows 7 users,” says security firm Trend Micro in a blog post.
Both vulnerabilities are privilege escalation flaws in a Windows component called Win32k, which “when successfully exploited can let hackers run arbitrary code in kernel mode, where the operating system’s core components are run,” Trend Micro says.
The security firm says another serious set of flaws – CVE-2019-0697, CVE-2019-0698, CVE-2019-0726 – involve “memory corruption vulnerabilities in Windows’ dynamic host configuration protocol (DHCP) client, which is used to obtain configuration information such as IP addresses.”
Microsoft says that there are no signs that these flaws have been abused yet by attackers; but they’re especially concerning because they could be exploited with no user interaction.
“An attacker can send a malformed DHCP response/network packet to a client/host that exploits the vulnerabilities, leaving the targeted system susceptible to remote code execution,” Trend Micro says.
What to tackle first? Start by immediately patching the three different DHCP flaws, Windows Deployment Services TFTP Server – it could be remotely exploited to execute code – as well as all workstations, says Jimmy Graham, director of product management at security firm Qualys.
“Browser, Scripting Engine, ActiveX, and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” Graham says in a blog post. “This includes multi-user servers that are used as remote desktops for users.”
Users also should rapidly patch all on-premises versions of Microsoft’s Dynamics 365 customer relationship management application, which has a flaw that could be abused to gain privilege escalation, he says.
Adobe Patches ColdFusion, Photoshop
On March 1, Adobe patched a serious flaw in ColdFusion. “The patch was released early due to reported active attacks targeting the vulnerability,” Dustin Childs, who’s part of Trend Micro’s Zero Day Initiative, says in a blog post.
“If an attacker can upload executable code to a web-accessible directory, they could use this bug to execute that code with an HTTP request,” he says. “Considering this bug was found by a researcher on a client’s site, hopefully you have already applied this patch to your ColdFusion servers.”
For either of the two total flaws patched in those applications, “successful exploitation could lead to arbitrary code execution in the context of the current user,” Adobe says.
“Neither of these CVEs are listed as being publicly known or under active attack at the time of release,” ZDI’s Childs says.