Microsoft has given system admins plenty of work to do this month with patches for nearly 80 vulnerabilities, including a zero-day flaw in Internet Explorer and a publicly disclosed Exchange server bug.
Top of the priority list in this month’s Patch Tuesday security round-up will probably be CVE-2019-0676, an information disclosure vulnerability in IE which Microsoft claimed has been actively exploited in the wild.
The bug allows attackers to test for the presence of files on the disks of targeted machines.
Also up there is CVE-2019-0686, an elevation of privilege vulnerability in Exchange Server 2010 and newer systems. Microsoft said no attacks had been spotted exploiting the flaw as yet but that this was “likely” in the future.
Recorded Future senior solutions architect, Allan Liska, claimed exploitation requires both Exchange Web Service and push notifications to be enabled.
“While this is not a common configuration, the vulnerability is relatively easy to exploit using the PushSubscriptionRequest API call,” he added.
Also of note this month are two remote code execution vulnerabilities in the Windows SMBv2 server: the same service WannaCry and NotPetya used to spread globally.
“While you can take comfort in the knowing that an attacker would need to be authenticated to exploit them, they could easily run arbitrary code on a vulnerable system,” warned Rapid7 senior security researcher, Greg Wiseman.
He argued that IT teams should prioritize yet another vulnerability for patching: CVE-2019-0626.
“It is an RCE in Windows DHCP Server that could allow an attacker to execute arbitrary code on an affected DHCP server,” he explained. “CVE-2019-0662 and CVE-2019-0618 are also worrisome as RCEs in the Windows Graphic Device Interface could allow a miscreant to take control of affected systems via web-based or file-sharing attacks.”
Other vulnerabilities noted by the experts included: CVE-2019-0540, a security bypass bug in Office, CVE-2019-0636, a Windows information disclosure flaw and CVE-2019-0590, a memory corruption bug in the Chakra Core scripting engine.
“This is the now the 17th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine. The last Patch Tuesday without a Chakra disclosure was September of 2017,” said Liska.