Microsoft March Patch Tuesday comes with fixes for two Windows zero-days
Microsoft rolled out today its monthly batch of security patches known as Patch Tuesday.
Security
This month, the Redmond-based company fixed 64 vulnerabilities, 17 of which were rated critical, including two zero-days affecting in its main product, the Windows operating system.
First Windows zero-day
The first of these zero-days is one that Google made public last week. Google said this zero-day was being abused in attacks against Windows 7 32-bit users.
Today Microsoft didn't release patches for Windows 7 only, but also for Windows Server 2008 systems, which are also impacted by this issue --tracked as CVE-2019-0808.
According to a Google security alert from last week, attackers used the Windows zero-day together with a Chrome zero-day to escape the Chrome browser sandbox and execute malicious code on targeted systems.
CVE-2019-0808's role in the exploit chain was to allow attackers to execute their malicious code with elevated admin privileges once the Chrome zero-day helped attackers escape from the Chrome security sandbox.
Google, too, patched its side of the aisle last week, with the release of Chrome 72.0.3626.121.
Second Windows zero-day
Further, Microsoft also patched a second zero-day today, discovered by Kaspersky researchers, and tracked as CVE-2019-0797. Just like the first, this zero-day is an elevation of privilege (EoP) bug that can allow attackers to run code with admin privileges.
"An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory," Microsoft said today in a security advisory. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
This zero-day impacts all Windows versions, including Windows 10. Neither Microsoft or Kaspersky revealed any details about the attacks exploiting this zero-day.
Other fixes
In addition to the two zero-days, Microsoft fixed (again) three major vulnerabilities in the Windows DHCP client that could allow remote attackers to take over vulnerable machines (CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726).
The OS maker has been patching lots of these DHCP security flaws lately, with at least one in almost every Patch Tuesday released in the last few months.
3 more DHCP client critical RCEs this month! https://t.co/2T6VbvBDox https://t.co/EZ7Olk4j7U https://t.co/u9jS8hDfJy
— Brandon Falk (@gamozolabs) March 12, 2019
Last but not least, Microsoft also corrected a patch for a Windows Deployment Services (WDS) bug it initially fixed last year. This bug is different from a similar WDS bug reported by Check Point.
For additional information on the other bugs patched in this month's Patch Tuesday, please refer to the table embedded below, or to this Patch Tuesday report generated by ZDNet or this alternative one assembled by Trend Micro's Zero-Day Initiative, or this one by SANS.
| Tag | CVE ID | CVE Title |
|---|---|---|
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates |
| Adobe Flash Player | ADV190008 | March 2019 Adobe Flash Security Update |
| Microsoft Windows | ADV190009 | SHA-2 Code Sign Support Advisory |
| Microsoft Windows | ADV190010 | Best Practices Regarding Sharing of a Single User Account Across Multiple Users |
| Active Directory | CVE-2019-0683 | Active Directory Elevation of Privilege Vulnerability |
| Azure | CVE-2019-0816 | Azure SSH Keypairs Security Feature Bypass Vulnerability |
| Internet Explorer | CVE-2019-0768 | Internet Explorer Security Feature Bypass Vulnerability |
| Internet Explorer | CVE-2019-0761 | Internet Explorer Security Feature Bypass Vulnerability |
| Internet Explorer | CVE-2019-0763 | Internet Explorer Memory Corruption Vulnerability |
| Microsoft Browsers | CVE-2019-0780 | Microsoft Browser Memory Corruption Vulnerability |
| Microsoft Browsers | CVE-2019-0762 | Microsoft Browsers Security Feature Bypass Vulnerability |
| Microsoft Edge | CVE-2019-0612 | Microsoft Edge Security Feature Bypass Vulnerability |
| Microsoft Edge | CVE-2019-0678 | Microsoft Edge Elevation of Privilege Vulnerability |
| Microsoft Edge | CVE-2019-0779 | Microsoft Edge Memory Corruption Vulnerability |
| Microsoft Graphics Component | CVE-2019-0808 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-0774 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-0797 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-0614 | Windows GDI Information Disclosure Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0617 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-0748 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0778 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0592 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0746 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0639 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0783 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0609 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0611 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0666 | Windows VBScript Engine Remote Code Execution Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0769 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0665 | Windows VBScript Engine Remote Code Execution Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0667 | Windows VBScript Engine Remote Code Execution Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0680 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0773 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0770 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0771 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0772 | Windows VBScript Engine Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-0754 | Windows Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-0765 | Comctl32 Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-0766 | Microsoft Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability |
| Microsoft XML | CVE-2019-0756 | MS XML Remote Code Execution Vulnerability |
| NuGet | CVE-2019-0757 | NuGet Package Manager Tampering Vulnerability |
| Skype for Business | CVE-2019-0798 | Skype for Business and Lync Spoofing Vulnerability |
| Team Foundation Server | CVE-2019-0777 | Team Foundation Server Cross-site Scripting Vulnerability |
| Visual Studio | CVE-2019-0809 | Visual Studio Remote Code Execution Vulnerability |
| Windows DHCP Client | CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability |
| Windows DHCP Client | CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability |
| Windows DHCP Client | CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-0695 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Hyper-V | CVE-2019-0690 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Hyper-V | CVE-2019-0701 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Kernel | CVE-2019-0702 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2019-0696 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-0775 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2019-0755 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2019-0767 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel | CVE-2019-0782 | Windows Kernel Information Disclosure Vulnerability |
| Windows Kernel-Mode Drivers | CVE-2019-0776 | Win32k Information Disclosure Vulnerability |
| Windows Print Spooler Components | CVE-2019-0759 | Windows Print Spooler Information Disclosure Vulnerability |
| Windows SMB Server | CVE-2019-0704 | Windows SMB Information Disclosure Vulnerability |
| Windows SMB Server | CVE-2019-0703 | Windows SMB Information Disclosure Vulnerability |
| Windows SMB Server | CVE-2019-0821 | Windows SMB Information Disclosure Vulnerability |
| Windows Subsystem for Linux | CVE-2019-0689 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
| Windows Subsystem for Linux | CVE-2019-0682 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
| Windows Subsystem for Linux | CVE-2019-0694 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
| Windows Subsystem for Linux | CVE-2019-0693 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
| Windows Subsystem for Linux | CVE-2019-0692 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
Additional information is also available on Microsoft's official Security Update Guide portal, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.
Since the Microsoft Patch Tuesday is also the day when other vendors also release security patches, it's also worth mentioning that Adobe released its batch earlier today. This month, the company has shipped security updates for Adobe Photoshop CC, its image editing software, and Digital Editions, its e-book reader app.
Another company which released security updates is SAP. Its updates are here.
In Memoriam: All the consumer products Microsoft has killed off
More vulnerability reports:
- Google reveals Chrome zero-day under active attacks
- New exploit lets attackers take control of Windows IoT Core devices
- Google: Chrome zero-day was used together with a Windows 7 zero-day
- WDS bug lets hackers hijack Windows Servers via malformed TFTP packets
- Vulnerability in Swiss e-voting system could have led to vote alterations
- Cisco tells Nexus switch owners to disable POAP feature for security reasons
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic