Application Security , Governance & Risk Management , IT Risk Management

Microsoft Patches Fresh Flaws Hit by Hackers

Slew of Critical Security Updates From Microsoft and Adobe
Microsoft Patches Fresh Flaws Hit by Hackers
A partial look at this month's Microsoft fixes, via Trend Micro's Zero Day Initiative

Patch or perish, March edition: Microsoft releases fixes for 65 new vulnerabilities, and Adobe issues a slew of updates, including patching a ColdFusion vulnerability being exploited in the wild.

See Also: Live Webinar | From Risk-Based Vulnerability Management to Exposure Management: The Future of Cybersecurity

On Tuesday, Microsoft issued updates that patch flaws in a number of products, including Microsoft Windows, the Internet Explorer and Edge browsers, Exchange Server and Microsoft Office Services and Web Apps. Other updates include fixes for ChakraCore, NuGet package manager, Team Foundation Services and the .NET Framework.

Of the Microsoft vulnerabilities, 18 are rated as critical, and 13 of them involve scripting engines or browser components contained in IE, Edge and Office.

Two of the vulnerabilities disclosed by Microsoft this month - CVE-2019-0797 and CVE-2019-0808 - merit rapid attention becayse they're being exploited in the wild. The flaws were reported to Microsoft by Kaspersky Lab and Google's Threat Analysis Group, which saw them being used by attackers.

"An exploit for CVE-2019-0808, in particular, was being chained with another then-zero-day vulnerability in Google Chrome (CVE-2019-5786) in attacks targeting Windows 7 users," says security firm Trend Micro in a blog post.

Both vulnerabilities are privilege escalation flaws in a Windows component called Win32k, which "when successfully exploited can let hackers run arbitrary code in kernel mode, where the operating system's core components are run," Trend Micro says.

The security firm says another serious set of flaws - CVE-2019-0697, CVE-2019-0698, CVE-2019-0726 - involve "memory corruption vulnerabilities in Windows' dynamic host configuration protocol (DHCP) client, which is used to obtain configuration information such as IP addresses."

Microsoft says that there are no signs that these flaws have been abused yet by attackers; but they're especially concerning because they could be exploited with no user interaction.

"An attacker can send a malformed DHCP response/network packet to a client/host that exploits the vulnerabilities, leaving the targeted system susceptible to remote code execution," Trend Micro says.

Start Here

What to tackle first? Start by immediately patching the three different DHCP flaws, Windows Deployment Services TFTP Server - it could be remotely exploited to execute code - as well as all workstations, says Jimmy Graham, director of product management at security firm Qualys.

"Browser, Scripting Engine, ActiveX, and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser," Graham says in a blog post. "This includes multi-user servers that are used as remote desktops for users."

Users also should rapidly patch all on-premises versions of Microsoft's Dynamics 365 customer relationship management application, which has a flaw that could be abused to gain privilege escalation, he says.

Adobe Patches ColdFusion, Photoshop

On March 1, Adobe patched a serious flaw in ColdFusion. "The patch was released early due to reported active attacks targeting the vulnerability," Dustin Childs, who's part of Trend Micro's Zero Day Initiative, says in a blog post.

"If an attacker can upload executable code to a web-accessible directory, they could use this bug to execute that code with an HTTP request," he says. "Considering this bug was found by a researcher on a client's site, hopefully you have already applied this patch to your ColdFusion servers."

On Tuesday, Adobe released updates that patch critical vulnerabilities in Photoshop CC for Windows and macOS - the flaw was reported via ZDI - and Adobe Digital Editions.

For either of the two total flaws patched in those applications, "successful exploitation could lead to arbitrary code execution in the context of the current user," Adobe says.

"Neither of these CVEs are listed as being publicly known or under active attack at the time of release," ZDI's Childs says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.