Microsoft’s Patch Tuesday entry for March feature 18 critical security updates, out of 64 overall, all of which can lead to remote code execution if exploited and two of which are active in the wild.
As usual the security patches cover a wide range of Microsoft products, with Edge having more than usual.
“Our guidance for this month is to get the Windows OS and IE updates applied as a top priority and make sure your Google Chrome update from last week is also applied as soon as possible. This will plug the three zero-day CVEs regarding the Win32k.sys Elevation of Privilege vulnerabilities being exploited in the wild and plug two of the publicly disclosed vulnerabilities,” Chris Goettl, director of product management, security, for Ivanti.
The two in the wild issues are the medium CVE-2019-0797 and CVE-2019-0808 and are related to the Chrome vulnerabilities.
“News broke last week that two zero-day vulnerabilities — a Use-After-Free vulnerability in Google Chrome (CVE-2019-5786) and an Elevation of Privilege vulnerability in Microsoft Windows — were being actively exploited in the wild together. Microsoft has now patched the Windows flaw (CVE-2019-0808), and given the media publicity and active exploitation, users should prioritize this patch. CVE-2019-0797, another Elevation of Privilege vulnerability in Win32k, was also reportedly exploited in the wild and patched in this month’s release,” said Recorded Future's Senior Solutions Architect Allan Liska.
The first vulnerability is an elevation of privilege vulnerability in various versions of Windows 10 Version 1803 that can takes place when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, Microsoft wrote. To do so the attacker would have to log into the system and run a specially crafted application that could exploit the vulnerability and take control of an affected system.
CVE-2019-0808 is also an elevation of privilege flaw and can be exploited in the same manner as CVE-2019-0797.
Microsoft’s ChakraCore scripting engine also received some care this month.
“Microsoft also released several patches for Microsoft Edge this month, including CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 and CVE-2019-0773. All of these vulnerabilities are ChakraCore scripting engine vulnerabilities affecting Microsoft Edge running on Windows 10, and if exploited could allow an attacker to exploit arbitrary code. Unlike February’s disclosure, none of these vulnerabilities appear to be exploited in the wild at this time,” said Liska.
Jimmy Graham, Qualys’ director of product management, recommended workstation patches browser, scripting engine, ActiveX, and MSXML patches be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
In addition, Windows deployment services TFTP Server If you are using Windows Deployment Services, this patch should be prioritized, as exploitation could lead to remote code execution on the affected host.
Satnam Narang, senior research engineer at Tenable also pointed out the three Windows DHCP Client remote code execution vulnerabilities with a 9.8 CVSS score in this month’s release as requiring attention.
“This is the third straight month that Microsoft patched high severity bugs in either Windows DHCP Client or Windows DHCP Server, signaling increased attention on finding DHCP bugs,” he said.