Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Patch Tuesday February 2019

Windows 10 and Windows Server 2016

Two updates this month address a critical vulnerability in the Windows Graphics Device Interface (GDI) that could allow an attacker to take control of an affected system by convincing the user to view certain content. This exploit is also patched in Internet Explorer 10 and 11. There’s a critical memory corruption vulnerability in the DHCP service that could allow an attacker to run arbitrary code by sending a specially crafted packet. There are also 8 remote code vulnerabilities rated Important.

There are 14 critical vulnerabilities patched in Edge, some of which could allow an attacker to take control if the user has admin rights. Another timely reminder that you can reduce the risk of getting owned by removing admin rights from users.

Windows 7 and Windows Server 2008

Windows 7 gets the same Windows Graphics Device Interface (GDI) and DHCP critical patches that are available for Windows 10. Additionally, there are 14 remote code vulnerabilities rated Important and patches for Internet Explorer 10.

Exchange Privilege Escalation Bug

This month, Microsoft released cumulative updates (CUs) for Exchange Server 2010, 2013, 2016, and 2019. What makes these updates different from previous CUs is that they contain an architectural change to the way Exchange Web Services (EWS) push notifications work. A vulnerability in EWS allows an attacker to use push notifications to gain unauthorized access. Microsoft says:

When a client subscribes to Push Notifications from Exchange Server, the notifications that are sent to the client include NTLM information that could be used to authenticate as the server that is running Exchange Server. This information was previously included to allow an authenticated response to subscribed clients. Only Push Notifications are affected. Pull and Streaming Notifications are unaffected.

This bug only affects clients that have push notifications enabled in their environment. While Microsoft had published a workaround, which you can find here, it could cause some client applications to stop working properly. But the latest CUs patch the vulnerability.

Exchange Server 2019 – Cumulative Update 1
Exchange Server 2016 – Cumulative Update 12
Exchange Server 2013 – Cumulative Update 22
Exchange Server 2010 – Update Rollup 26

Exchange Active Directory Rights

Without going into too much detail, by default Exchange uses a shared permissions model with Active Directory (AD) that gives it extensive rights at the root level of any domain that has Exchange servers. This month’s CUs can be used to modify AD to reduce the scope of objects on which Exchange can write security descriptors. This doesn’t affect organizations that have opted to use the split permissions model, which was first available in Exchange Server 2010. About the security changes released today, Microsoft says:

The combination of the directory permission changes and EWS security change provides the best possible protection against possible attacks, meaning that Active Directory Split Permissions are not required, but still optional.

Exchange Legacy Authentication Protocols

Exchange Server 2019 CU1 includes new cmdlet support to create policies that restrict legacy authentication protocols on a per protocol and user by user basis. You can already use Azure AD Conditional Access policies to control how legacy authentication protocols are used in Office 365. See Understanding Azure Active Directory Conditional Access on Petri for more information.

For further details on how to make changes to your environment, check out Microsoft’s Knowledgebase article here. And for a more in-depth look at this month Exchange CUs, Tony Redmond has a writeup here on Petri: Exchange Privilege Elevation Vulnerability Addressed by Microsoft Patches.

SharePoint Server

SharePoint Server gets patched for a critical remote code execution flaw that could allow an attacker to run any code in the context of the application pool and SharePoint server farm account. This vulnerability affects SharePoint 2016, 2013, 2010, and 2009.

Microsoft Office

There are no critical flaws patched in Office this month.

Adobe Flash and Acrobat Reader

Finally, there is the usual raft of patches for Adobe products. There are 43 critical flaws patched in Acrobat and Reader, including a permanent fix for a bug that could allow remote attackers to harvest NTLM password hashes.

by Russell Smith
Feb 20, 2019

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What Is Windows Server?

Feb 22, 2024
Windows Server Backup: A Step-by-Step Guide

Jan 5, 2024
Mar 22, 2024
What Is an Access Control List (ACL)?

Feb 19, 2024

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.