Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from Petri.com for IT Pros.

    See All Petri Newsletters

    Patch Tuesday February 2019

    Posted on by Russell Smith in Windows Server with 1 Comment

    Windows 10 and Windows Server 2016

    Two updates this month address a critical vulnerability in the Windows Graphics Device Interface (GDI) that could allow an attacker to take control of an affected system by convincing the user to view certain content. This exploit is also patched in Internet Explorer 10 and 11. There’s a critical memory corruption vulnerability in the DHCP service that could allow an attacker to run arbitrary code by sending a specially crafted packet. There are also 8 remote code vulnerabilities rated Important.

    There are 14 critical vulnerabilities patched in Edge, some of which could allow an attacker to take control if the user has admin rights. Another timely reminder that you can reduce the risk of getting owned by removing admin rights from users.

    Windows 7 and Windows Server 2008

    Windows 7 gets the same Windows Graphics Device Interface (GDI) and DHCP critical patches that are available for Windows 10. Additionally, there are 14 remote code vulnerabilities rated Important and patches for Internet Explorer 10.

    Exchange Privilege Escalation Bug

    This month, Microsoft released cumulative updates (CUs) for Exchange Server 2010, 2013, 2016, and 2019. What makes these updates different from previous CUs is that they contain an architectural change to the way Exchange Web Services (EWS) push notifications work. A vulnerability in EWS allows an attacker to use push notifications to gain unauthorized access. Microsoft says:

    When a client subscribes to Push Notifications from Exchange Server, the notifications that are sent to the client include NTLM information that could be used to authenticate as the server that is running Exchange Server. This information was previously included to allow an authenticated response to subscribed clients. Only Push Notifications are affected. Pull and Streaming Notifications are unaffected.

    This bug only affects clients that have push notifications enabled in their environment. While Microsoft had published a workaround, which you can find here, it could cause some client applications to stop working properly. But the latest CUs patch the vulnerability.

    Exchange Active Directory Rights

    Without going into too much detail, by default Exchange uses a shared permissions model with Active Directory (AD) that gives it extensive rights at the root level of any domain that has Exchange servers. This month’s CUs can be used to modify AD to reduce the scope of objects on which Exchange can write security descriptors. This doesn’t affect organizations that have opted to use the split permissions model, which was first available in Exchange Server 2010. About the security changes released today, Microsoft says:

    The combination of the directory permission changes and EWS security change provides the best possible protection against possible attacks, meaning that Active Directory Split Permissions are not required, but still optional.

    Exchange Legacy Authentication Protocols

    Exchange Server 2019 CU1 includes new cmdlet support to create policies that restrict legacy authentication protocols on a per protocol and user by user basis. You can already use Azure AD Conditional Access policies to control how legacy authentication protocols are used in Office 365. See Understanding Azure Active Directory Conditional Access on Petri for more information.

    For further details on how to make changes to your environment, check out Microsoft’s Knowledgebase article here. And for a more in-depth look at this month Exchange CUs, Tony Redmond has a writeup here on Petri: Exchange Privilege Elevation Vulnerability Addressed by Microsoft Patches.

    SharePoint Server

    SharePoint Server gets patched for a critical remote code execution flaw that could allow an attacker to run any code in the context of the application pool and SharePoint server farm account. This vulnerability affects SharePoint 2016, 2013, 2010, and 2009.

    Microsoft Office

    There are no critical flaws patched in Office this month.

    Adobe Flash and Acrobat Reader

    Finally, there is the usual raft of patches for Adobe products. There are 43 critical flaws patched in Acrobat and Reader, including a permanent fix for a bug that could allow remote attackers to harvest NTLM password hashes.

     

     

    BECOME A PETRI MEMBER:

    Don't have a login but want to join the conversation? Sign up for a Petri Account

    Register

    Register for this Petri Webinar!

    Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By