March Patch Tuesday Fixes Two Zero Days

Microsoft has patched over 60 vulnerabilities this month, two of which are being exploited in the wild and four of which were previously disclosed.

The two Windows flaws being used to attack targets are elevation of privilege bugs CVE-2019-0797 and CVE-2019-0808. The latter was being used in combination with a use-after-free vulnerability in Google Chrome (CVE-2019-5786).

“Although not as severe due to requiring local access, they could be used in conjunction with an RCE exploit in order to take full control of a system,” said Rapid7 senior security researcher, Greg Wiseman.

However, he said IT admins should prioritize three others, which are critical RCE flaws in the Windows DHCP client: CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726.

“Systems running Windows Deployment Services TFTP Server should also be patched against CVE-2019-0603 as soon as possible,” he added.

The four previously disclosed vulnerabilities patched yesterday are Visual Studio RCE bug CVE-2019-0809, which affects the Visual Studio C++ Redistributable Installer; CVE-2019-0757, a NuGet Package Manager tampering vulnerability affecting Linux and Mac installations; Active Directory elevation of privilege vulnerability CVE-2019-0683; and Windows DoS flaw, CVE-2019-0754.

There were also several patches for Microsoft Edge released this month, including CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 and CVE-2019-0773.

“All of these vulnerabilities are ChakraCore scripting engine vulnerabilities affecting Microsoft Edge running on Windows 10, and if exploited could allow an attacker to exploit arbitrary code,” explained Recorded Future senior solutions architect, Allan Liska.

There were no Adobe security patches to worry about this month, but SAP has issued 15 fixes in its monthly Security Notes update.

The most critical, SAP Security Note #2764283, has a CVSS score of 8.7 and patches a critical bug in SAP HANA HANA Extended Application Services Advanced.

“This bug that can lead to critical compromise of data confidentiality, including arbitrary files retrieval from the server, and availability, such as denial-of-service conditions in successful exploits,” wrote security firm Onapsis.

What’s Hot on Infosecurity Magazine?