News

Microsoft Addresses Zero-Day Flaws in March Security Patch Release

• By Kurt Mackie
• 03/12/2019

Microsoft released security patches on "update Tuesday" to address 64 common vulnerabilities and exposures (CVEs), which were typically associated with products like Windows, Office services and Microsoft's browsers.

The March security bundle included 17 CVEs that were rated "Critical," with 45 rated "Important," according to Trend Micro's Zero Day Initiative (ZDI) count. There also was one bulletin ranked "Moderate" and one ranked "Low" in priority. 

Active and Public Exploits
Two of the CVEs have been seen in active exploits, while four were made public, upping their value for potential attacks, according to analysis by Chris Goettl, Ivanti's director of product management and security. Ivanti plans to hold a discussion of Microsoft's March patches on March 13, which can be accessed through Ivanti's "Patch Tuesday" portal (with registration).

Active exploits and public disclosures are more important considerations than severity ratings when determining patching priorities, according to Goettl:

Our guidance to Ivanti customers is to not rely solely on vendor severity or even CVSS score as your only triggers for what should be deployed to your environment. Exploited, publicly disclosed, and user targeted vulnerabilities should also be taken into account.

One vulnerability that was "detected in the wild" or being actively exploited is CVE 2019-0797, but it's only rated "Important." It's an elevation-of-privilege issue affecting Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2012 R2, as well as "Server 1709, 1803, 2016 and 2019" versions. This vulnerability was utilized in the Google Chrome zero-day attack that was reported last week.  

"This [CVE 2019-0797 bulletin] relates to the Google Chrome CVE-2019-5786 that took advantage of this OS vulnerability to evade security sandbox meant to keep browser sessions from interacting with the OS," Goettl explained via an e-mail. 

Also related to that Google Chrome zero-day issue is CVE-2019-0808, another elevation-of-privilege patch item that also was "detected in the wild." It's also rated "Important" and concerns Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Other publicly disclosed vulnerabilities addressed in this month's bundle of patches include CVE-2019-0809, a Visual Studio remote code execution flaw; CVE-2019-0683, an Active Directory elevation-of-privilege flaw; CVE-2019-0757, a NuGet package manager tampering flaw; and CVE-2019-0754, a Windows denial-of-service flaw, according to Goettl.

Other Notable Items
Trend Micro's ZDI also cited a couple of other items of note this month. For instance, CVE-2019-0603 is a Windows Deployment Services Trivial File Transfer Protocol (TFTP) Server remote code execution vulnerability, rated "Critical," that was "originally reported through the ZDI program." It can be implemented by sending a request to an unpatched server. "If you're using WDS in your environment, definitely put this one near the top of your test and deployment list," ZDI indicated.

Another notable "Critical" issue, according to ZDI, is a Windows Dynamic Host Configuration Protocol (DHCP) client remote code execution vulnerability. There are three DHCP vulnerabilities getting patched with respect to this issue, namely CVE-2019-0697, CVE-2019-0698 and CVE-2019-0726. The exploit involves sending a particular response to a client and would likely require a man-in-the-middle attack to carry it out, "but a successful exploit would have wide-ranging consequences," ZDI indicated.

Cisco's Talos security researchers also offer a list-type analysis of this month's patches in this blog post.

Computerworld writer Woody Leonhard commented in a blog post that he didn't see much that needed immediate patching in Microsoft's March bundle so far.

One item not deemed worthy of a patch by Microsoft is a proof-of-concept attack. An attacker is able to alter the Windows dialog box messages that appear after a Registry change is made. The issue is described in this Kaspersky Lab Threatpost story.

As usual, Microsoft keeps an exhaustive list of the month's patches in its Security Update Guide page, which lists 1,455 items over 73 pages. Updates for specific products are listed in this page. There are also Release Notes, which show that three security advisories were released this month.

One of the advisories (ADV990001) lists the latest servicing stack updates. Another (ADV190008) lists Adobe Flash security updates. The third advisory (ADV190010) tells IT pros to stop using a shared account for Windows log-ons for different users as it's deemed to be a security risk. The advice seems to apply to organizations using Remote Desktop Services sessions to connect end users.

There's also security advisory ADV190009 that was released this month. The advisory describes Microsoft's "release of SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1," as well as Windows Server Update Services (WSUS). By July 2019, Microsoft will be requiring that these older operating systems support SHA-2 code signing to continue to get Windows updates, according to Microsoft's summary document. Microsoft plans to roll out support for SHA-2 in these OSes gradually, as described in the document.