Microsoft released today its monthly roll-up of security patches known as Patch Tuesday. This month, the Redmond-based company fixed 77 security flaws across a wide range of products, from Microsoft Edge to the Azure IoT SDK.
The most critical of all fixed bugs is a zero-day vulnerability in Microsoft’s old Internet Explorer browser that the OS maker says it’s been already exploited in the wild.
This IE zero-day is currently tracked as CVE-2019-0676, and according to Microsoft, “an attacker who successfully exploited this vulnerability could test for the presence of files on disk.”
It is unclear if the zero-day has been used by nation-state hacking groups or by cyber-criminal operations, but in the past, there have been similar IE zero-days that “test for the presence of files on disk.” Historically, these types of IE vulnerabilities have been abused by exploit kit operators for user fingerprinting purposes.
But besides the IE zero-day, there are also many other important patches for other critical bugs.
For starters, there are two vulnerabilities in the SMB (Server Message Block) protocol that can lead to remote code execution. SMB is the same service that the WannaCry and NotPetya ransomware outbreaks leveraged in 2017 to spread across the world.
These bugs —CVE-2019-0630 and CVE-2019-0633— aren’t as severe as the EternalBlue SMB exploit used during those attacks because they don’t bypass SMB authentication, but they are still dangerous because many companies use simplistic passwords to secure SMB client-server communications. Exploits for these two bugs that come with pre-defined lists of SMB credentials can gain access to weakly secured networks after basic dictionary attacks.
In addition, there’s also a remote code execution vulnerability (CVE-2019-0626) affecting the DHCP server component included with Windows Servers.
According to Microsoft, an attacker who can send malformed DHCP packets to vulnerable DHCP servers can hijack the underlying server. Since Windows Servers are used in enterprise networks as part of critical IT infrastructure, exploitation of this flaw can lead to catastrophic consequences.
And last, but not least, Microsoft also patched CVE-2019-0686, a vulnerability more widely known as PrivExchange.
Proof-of-concept code for the PrivExchange vulnerability was released at the end of January. The code exploited a bug in Microsoft Exchange 2013 and newer versions that escalated an attacker’s access from a lowly hacked inbox to admin on a company’s internal domain controller.
Microsoft deployed a fix today after it published a security advisory (ADV190007) last week containing mitigation advice that sysadmins could apply to safeguard servers from attackers.
Besides tthe advisory on mitigating PrivExchange, Microsoft also published today a second advisory (ADV190006) that contains mitigation advice on how syadmins can deal with a new type of attack on Active Directory servers that exploits forest trusts.
Details about this innovative attack routine have been first disclosed at the DerbyCon 2018 security conference by researchers from SpecterOps, who later also detailed their work in two blog posts, here and here.
For additional information on the other bugs patched in this month’s Patch Tuesday updates, this blog post from the Trend Micro Zero-Day Initiative team provides additional insight in the form of a simple HTML table.
The information from that table is also available on Microsoft’s official Security Update Guide portal, available here, which provides interactive filtering controls so that users can find the updates and patches for only the products that are of interest.
Earlier today, Adobe released its own security updates. This month, the company has shipped security updates for Adobe Flash Player, Adobe Acrobat/Reader, the ColdFusion programming language, and the Creative Cloud desktop app.
Just like Microsoft has been doing for the past few years, the Adobe Flash Player security fixes have also been included with this month’s Patch Tuesday Windows updates.