This month sees Microsoft patch two zero-days in Windows 7 and critical bugs in Windows Deployment Services and DHCP.
Windows 10, Windows Server 2016, and Windows Server 2019
Patch Tuesday sees Microsoft plug 6 critical flaws in Windows 10 and Server 2016. CVE-2019-0603 is a Remote Code Execution (RCE) bug in the way Windows Deployment Services (WDS) implements the Trivial File Transfer Protocol (TFTP) service. To exploit this vulnerability, an attacker would need to send a specially crafted request to an unpatched WDS server, and it could allow them to execute arbitrary code with elevated permissions.
There are three critical RCEs in the DHCP service caused by a memory corruption bug that would require an attacker to send a specially crafted request to run arbitrary code on the client. The two remaining critical flaws are also RCEs. One is a bug in Microsoft XML Core Services that could allow an attacker to invoke MSXML through a specially crafted website. The second is in the way ActiveX Data Objects handle objects in memory and it could allow an attacker to gain the same rights as the logged in user. The 27 remaining flaws are rated important and include 3 RCEs and 8 Elevation of Privilege (EOP) bugs. CVE-2019-0797 was reported by Kaspersky Labs so is probably already being exploited.
Microsoft Edge gets fixes for 6 critical RCEs, all of which are scripting engine memory corruption vulnerabilities that could allow an attacker to gain the same rights as the logged in user. There’s also an important Security Feature Bypass flaw in the way Click2Play protection in Edge handles Flash objects. In conjunction with another vulnerability, an attacker could run arbitrary code.
There are 5 critical RCEs in Internet Explorer 11, including the same scripting engine memory corruption vulnerability that affects Edge. CVE-2019-0666 and CVE-2019-0667 are a VBScript Engine RCE flaw that could allow an attacker to run code in the context of the logged in user.
New Update Uninstall Feature
Microsoft has added a new feature to Windows 10 as part of this month’s cumulative update. If Windows detects a failed startup following an update, it will try to remove the update, and reboot the machine to see if this fixes the problem. And if the problem is solved, the update will not be re-installed for 30 days in the hope that it is long enough for whatever was causing the issue to be resolved. For more information, see Windows 10 Will Now Automatically Uninstall Corrupted Updates on Petri.
Windows 7 and Windows Server 2008
A Win32k EOP flaw is patched this month and it is already being exploited in the wild. CVE-2019-0808 was discovered by Google’s Threat Analysis Group and it is being exploited along with a Chrome zero-day that could allow attackers to break out of Chrome’s sandbox and run arbitrary code. This bug doesn’t affect Windows 10.
The Windows Deployment Services TFTP Server Remote Code Execution Vulnerability that affects Windows 10 has also been patched in Windows 7. As have the ActiveX Data Object, Windows VBScript Engine, and MS XML bugs. There are 3 RCEs rated important. One affects the Jet Database Engine, and another is in how comctl32.dll handles objects in memory.
Microsoft released an update for Windows 7 and Windows Server 2008 R2 SP1 to add support for SHA-2 code signing. Windows Update files are dual signed using SHA-1 and SHA-2. But starting in July 2019, Microsoft will begin signing all Windows Update files using SHA-2 only, so if you don’t have the patch installed, you will stop receiving updates.
The update had been planned for April but was brought forward one month. A separate standalone update will be available April 9th for Windows Server 2008 SP2. You can get more technical details on this change on Microsoft’s website here.
There’s a cross-site-scripting (XSS) vulnerability patched in SharePoint Enterprise Server 2016 and SharePoint Foundation 2013 Service Pack 1. An authenticated user could send a specially crafted request to an unpatched SharePoint server and run scripts in the context of the current user and read data that the user is not authorized to read and take actions on the user’s behalf.
And Office 2010 gets a fix for an RCE in the Access Connectivity Engine. An attacker could use the flaw to run arbitrary code on the victim’s PC. Other than that, there are no security updates for Office this month.
Flash gets a low severity update this month that fixes some feature and performance bugs but doesn’t include any security patches. A rare month indeed.
And that’s it for this month! Happy patching.