Microsoft February Patch Tuesday fixes 77 safety flaws, together with IE zero-day



Picture: Microsoft

Microsoft launched in the present day its month-to-month roll-up of safety patches referred to as Patch Tuesday. This month, the Redmond-based firm fastened 77 safety flaws throughout a variety of merchandise, from Microsoft Edge to the Azure IoT SDK.

Probably the most crucial of all fastened bugs is a zero-day vulnerability in Microsoft’s outdated Web Explorer browser that the OS maker says it has been already exploited within the wild.

This IE zero-day is at present tracked as CVE-2019-0676, and in keeping with Microsoft, “an attacker who efficiently exploited this vulnerability may take a look at for the presence of recordsdata on disk.”

It’s unclear if the zero-day has been utilized by nation-state hacking teams or by cyber-criminal operations, however prior to now, there have been related IE zero-days that “take a look at for the presence of recordsdata on disk.” Traditionally, most of these IE vulnerabilities have been abused by exploit package operators for consumer fingerprinting functions.

However in addition to the IE zero-day, there are additionally many different vital patches for different crucial bugs.

For starters, there are two vulnerabilities within the SMB (Server Message Block) protocol that may result in distant code execution. SMB is identical service that the WannaCry and NotPetya ransomware outbreaks leveraged in 2017 to unfold the world over.

These bugs –CVE-2019-0630 and CVE-2019-0633– aren’t as extreme because the EternalBlue SMB exploit used throughout these assaults as a result of they do not bypass SMB authentication, however they’re nonetheless harmful as a result of many corporations use simplistic passwords to safe SMB client-server communications. Exploits for these two bugs that include pre-defined lists of SMB credentials can acquire entry to weakly secured networks after fundamental dictionary assaults.

As well as, there’s additionally a distant code execution vulnerability (CVE-2019-0626) affecting the DHCP server part included with Home windows Servers.

In keeping with Microsoft, an attacker who can ship malformed DHCP packets to susceptible DHCP servers can hijack the underlying server. Since Home windows Servers are utilized in enterprise networks as a part of crucial IT infrastructure, exploitation of this flaw can result in catastrophic penalties.

And final, however not least, Microsoft additionally patched CVE-2019-0686, a vulnerability extra extensively referred to as PrivExchange.

Proof-of-concept code for the PrivExchange vulnerability was launched on the finish of January. The code exploited a bug in Microsoft Change 2013 and newer variations that escalated an attacker’s entry from a lowly hacked inbox to admin on an organization’s inside area controller.

Microsoft deployed a repair in the present day after it revealed a safety advisory (ADV190007) final week containing mitigation recommendation that sysadmins may apply to safeguard servers from attackers.

Moreover tthe advisory on mitigating PrivExchange, Microsoft additionally revealed in the present day a second advisory (ADV190006) that comprises mitigation recommendation on how syadmins can take care of a brand new sort of assault on Energetic Listing servers that exploits forest trusts.

Particulars about this modern assault routine have been first disclosed on the DerbyCon 2018 safety convention by researchers from SpecterOps, who later additionally detailed their work in two weblog posts, right here and right here.

For extra info on the opposite bugs patched on this month’s Patch Tuesday updates, this weblog submit from the Pattern Micro Zero-Day Initiative group supplies extra perception within the type of a easy HTML desk.

The data from that desk can also be obtainable on Microsoft’s official Safety Replace Information portal, obtainable right here, which supplies interactive filtering controls in order that customers can discover the updates and patches for less than the merchandise which can be of curiosity.

Earlier in the present day, Adobe launched its personal safety updates. This month, the corporate has shipped safety updates for Adobe Flash Participant, Adobe Acrobat/Reader, the ColdFusion programming language, and the Artistic Cloud desktop app.

Identical to Microsoft has been doing for the previous few years, the Adobe Flash Participant safety fixes have additionally been included with this month’s Patch Tuesday Home windows updates.

Associated safety protection: