Security Researchers Highlight Exchange and IE Zero-Day in February Microsoft Patches

Microsoft's February "update Tuesday" release was notable for delivering major security updates and architectural changes to all supported Exchange Server products, along with a "zero-day" IE patch.

All told, Microsoft released patches for 20 "Critical" vulnerabilities, 54 "Important" ones and three that were rated as "Moderate."

That count can be found in analysis by Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) post, which attributed 21 of the common vulnerabilities and exploits (CVEs) reported this month to ZDI's research efforts. Microsoft's security solution partners tend to offer the most cogent summaries of Microsoft's update Tuesday releases. However, IT pros who like sprawling lists can always comb through Microsoft's official multipage Security Update Guide.

In addition to releasing patches for Windows client and server components on Tuesday, Microsoft released security and quality updates for .NET Framework. It also released Office updates and SharePoint updates.

Top Priorities
The "interesting patches" this month's release, according to Childs, included:

  • Exchange Server elevation-of-privilege vulnerability (CVE-2019-0686), a high-priority issue that "pivots off a previous bug reported through the ZDI program that was addressed via a registry key rather than a patch."
  • Windows Dynamic Host Configuration Protocol (DHCP) Server remote code execution vulnerability (CVE-2019-0626), which enables server takeover via "a specially crafted packet."
  • SharePoint remote code execution vulnerability (CVE-2019-0594, CVE-2019-0604).
  • Internet Explorer information disclosure vulnerability (CVE-2019-0676), which is the one flaw this month that's actively being used for attacks.

With regard to the IE issue, Childs noted that Microsoft has described the IE browser as just being a "compatibility solution," so organizations may want to "figure out your upgrade strategy." Microsoft recently expressed the notion that it wants organizations to use Microsoft Edge as their main browser, and IE secondarily.

Chris Goettl, director of product management for security at Ivanti, clarified in a blog post that Microsoft's February patch bundle addressed two CVEs in Exchange Server products, namely CVE-2019-0686 and CVE-2019-0724. The patch for the first vulnerability will change how Exchange Web Services authenticates, while the latter patch limits the ability of attackers to gain domain administrator privileges. With regard to CVE-2019-0724, Goettl noted that Microsoft's patch will "modify permissions in your Exchange configuration," and that users of Exchange Server 2010 will need to "take additional manual steps to make the permissions changes," as described in KB4490059.

Goettl described the IE vulnerability (CVE-2019-0676) in this month's patch bundle as a "Zero Day exploit," adding that it is "actively being exploited to allow an attacker to read the contents of files on a disk." He ranked Microsoft's operating system, browser and Office patches this month as the top priorities, as well as the Exchange Server escalation-of-privilege patches.

As usual, this month's Adobe Flash, Acrobat and Reader patches were prioritized by the security researchers. They are frequent targets of attack.

This month's patch tally according to Cisco Talos researchers was similar to that of ZDI, although Talos counted 46 "Important" vulnerabilities in Microsoft's February patch release. Talos highlighted memory corruption vulnerabilities as being among this month's highlights. These vulnerabilities are present in the Microsoft scripting engine, as well as the Edge and IE browsers, enabling memory corruption and remote code execution.

Talos also specifically highlighted a remote code execution vulnerability in the Adobe Acrobat Reader, adding that a Talos researcher is credited for finding it.

Patch Quality
So far, all has been quiet with regard to potential problems with this February patch release by Microsoft, according to the ever-watchful Computerworld writer Woody Leonhard in a blog post. He generally recommends waiting on applying patches when they are first released.

In that respect, a 2019 Blue Hat presentation by Matt Miller of the Microsoft Security Response Center had suggested that if an exploit happens, it'll likely be a zero-day exploit, which means that it's a flaw that was unknown or unpublicized by a software developer. That notion is summarized in this Born's Tech and Windows World blog post.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus