The March 2019 Security Update Review
March 12, 2019 | Dustin ChildsMarch is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.
Adobe Patches for March 2019
Adobe began their March release cycle on the first of the month with a patch for Cold Fusion. The patch was released early due to reported active attacks targeting the vulnerability. If an attacker can upload executable code to a web-accessible directory, they could use this bug to execute that code with an HTTP request. Considering this bug was found by a researcher on a client’s site, hopefully you have already applied this patch to your ColdFusion servers.
Today, Adobe released patches for bugs in Photoshop and Adobe Digital Editions. The Photoshop bug was reported through the ZDI program. The one CVE addressed by the patch is a heap corruption due to an out-of-bounds write in Photoshop that could allow code execution if an attacker could convince someone to open a specially crafted file. Similarly, there is only one CVE reference by the Digital Editions patch to correct a code execution bug. Neither of these CVEs are listed as being publicly known or under active attack at the time of release.
Microsoft Patches for March 2019
For March, Microsoft released security patches for 64 CVEs along with four advisories. The patches cover Internet Explorer (IE), Edge, Exchange Server, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, NuGet package manager, Team Foundation Services and the .NET Framework. Of these 64 CVEs, 17 are rated Critical, 45 are rated Important, one is rated Moderate, and one is rated Low in severity. A total of seven of these CVEs came through the ZDI program. Four of these bugs are listed as public and two are listed as being under active attack at the time of release.
Let’s take a closer look at some of the more interesting patches for this month, starting with the bugs under active attack:
- CVE-2019-0797, CVE-2019-0808 – Win32k Elevation of Privilege Vulnerability
These two nearly identical bugs represent the two bugs under active attack in this release. One was reported by Kaspersky Labs while the other was reported by the Google Threat Analysis Group, which implies both of these have been spotted in targeted malware. Regardless, these bugs allow an attacker to elevate privileges and take over a system after they have access to that system. While bugs in Win32k are rated Important due to the access requirement, the impact of successful attacks shows why they shouldn’t be ignored.
- CVE-2019-0603 – Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an attacker to execute code with elevated permissions through a specially crafted TFTP message. While similar to a recently detailed TFTP bug patched in November, this bug occurs in a different function. This bug is in the implementation of the TFTP service and not in the TFTP protocol itself. To exploit this bug, an attacker would need to send a specially crafted request to an affected server. If you’re using WDS in your environment, definitely put this one near the top of your test and deployment list.
- CVE-2019-0697, CVE-2019-0698, CVE-2019-0726 – Windows DHCP Client Remote Code Execution Vulnerability
This is the third month in a row with a Critical-rated DHCP bug, with this month’s offering being three separate remote code execution bugs in the DHCP client. Each CVE represent a bug in the DHCP client that could allow attackers to execute their code on affected systems. These bugs are particularly impactful since they require no user interaction – an attacker send a specially crafted response to a client – and every OS has a DHCP client. There would likely need to be a man-in-the-middle component to properly execute an attack, but a successful exploit would have wide-ranging consequences.
- CVE-2019-0757 – NuGet Package Manager Tampering Vulnerability
This patch corrects a bug in the NuGet package manager that allows an attacker to modify a package’s folder structure. If successful, they could modify files and folders that are unpackaged on a system. If done silently, an attacker could potentially propagate their modified package to many unsuspecting users of the package manager. Fortunately, this requires authentication, which greatly reduces the chances of this occurring. This is one of the four publicly known bugs for this month, so if you’re a NuGet user, definitely get this patch.
Here’s the full list of CVEs released by Microsoft for March 2019.
CVE | Title | Severity | Public | Exploited | XI - Latest | XI - Older | Type |
CVE-2019-0797 | Win32k Elevation of Privilege Vulnerability | Important | No | Yes | 3 | 0 | EoP |
CVE-2019-0808 | Win32k Elevation of Privilege Vulnerability | Important | No | Yes | N/A | 0 | EoP |
CVE-2019-0683 | Active Directory Elevation of Privilege Vulnerability | Important | Yes | No | N/A | 2 | EoP |
CVE-2019-0754 | Windows Denial of Service Vulnerability | Important | Yes | No | 2 | 2 | DoS |
CVE-2019-0757 | NuGet Package Manager Tampering Vulnerability | Important | Yes | No | 2 | 2 | Tampering |
CVE-2019-0809 | Visual Studio Remote Code Execution Vulnerability | Important | Yes | No | 2 | 2 | RCE |
CVE-2019-0592 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0609 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0639 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0666 | Windows VBScript Engine Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-0667 | Windows VBScript Engine Remote Code Execution Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-0680 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0756 | MS XML Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0763 | Internet Explorer Memory Corruption Vulnerability | Critical | No | No | 1 | 1 | RCE |
CVE-2019-0769 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0770 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0771 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0773 | Scripting Engine Memory Corruption Vulnerability | Critical | No | No | 1 | N/A | RCE |
CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability | Critical | No | No | 2 | 2 | RCE |
CVE-2019-0612 | Microsoft Edge Security Feature Bypass Vulnerability | Important | No | No | 1 | N/A | SFB |
CVE-2019-0614 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-0617 | Jet Database Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-0665 | Windows VBScript Engine Remote Code Execution Vulnerability | Important | No | No | 1 | 1 | RCE |
CVE-2019-0678 | Microsoft Edge Elevation of Privilege Vulnerability | Important | No | No | 2 | N/A | EoP |
CVE-2019-0682 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-0689 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-0690 | Windows Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0692 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-0693 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-0694 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-0695 | Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0696 | Windows Kernel Elevation of Privilege Vulnerability | Important | No | No | 1 | 1 | EoP |
CVE-2019-0701 | Hyper-V Denial of Service Vulnerability | Important | No | No | 2 | 2 | DoS |
CVE-2019-0702 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-0703 | Windows SMB Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-0704 | Windows SMB Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-0748 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important | No | No | N/A | 2 | RCE |
CVE-2019-0755 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-0759 | Windows Print Spooler Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-0761 | Windows Security Zone Bypass Vulnerability | Important | No | No | 2 | 2 | SFB |
CVE-2019-0762 | Microsoft Browsers Security Feature Bypass Vulnerability | Important | No | No | 2 | N/A | SFB |
CVE-2019-0765 | Comctl32 Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-0766 | Microsoft Windows Elevation of Privilege Vulnerability | Important | No | No | 2 | 2 | EoP |
CVE-2019-0767 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-0768 | Internet Explorer Security Feature Bypass Vulnerability | Important | No | No | 1 | 1 | SFB |
CVE-2019-0772 | Windows VBScript Engine Remote Code Execution Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-0774 | Windows GDI Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-0775 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-0776 | Win32k Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-0778 | Microsoft Office SharePoint XSS Vulnerability | Important | No | No | N/A | 2 | XSS |
CVE-2019-0779 | Microsoft Edge Memory Corruption Vulnerability | Important | No | No | 1 | N/A | RCE |
CVE-2019-0782 | Windows Kernel Information Disclosure Vulnerability | Important | No | No | 2 | 2 | Info |
CVE-2019-0783 | Scripting Engine Memory Corruption Vulnerability | Important | No | No | 1 | 1 | RCE |
CVE-2019-0798 | Skype for Business and Lync Spoofing Vulnerability | Important | No | No | 2 | 2 | Spoof |
CVE-2019-0821 | Windows SMB Information Disclosure Vulnerability | Important | No | No | 1 | 1 | Info |
CVE-2019-0611 | Chakra Scripting Engine Memory Corruption Vulnerability | Important | No | No | 2 | N/A | Info |
CVE-2019-0746 | Chakra Scripting Engine Memory Corruption Vulnerability | Important | No | No | 2 | 2 | RCE |
CVE-2019-0780 | Microsoft Browser Memory Corruption Vulnerability | Important | No | No | 1 | N/A | RCE |
CVE-2019-0816 | Azure SSH Keypairs Security Feature Bypass Vulnerability | Moderate | No | No | 2 | 2 | SFB |
CVE-2019-0777 | Team Foundation Server Cross-site Scripting Vulnerability | Low | No | No | 2 | 2 | XSS |
Looking at the other publicly known bugs for March, there’s a code execution bug in the Visual Studio C++ Redistributable Installer that involves getting a specially crafted DLL onto a target system then convincing someone to run a specific program. Also public is an EoP in Active Directory that takes advantage of a default setting, but it requires an attacker to compromise an Active Directory forest first. The final public bug is a denial of service in Windows that can cause a system to stop responding after running a specially crafted program. That program would be created by the attacker and isn’t that memory hungry browser you just thought of.
This release is dominated by code execution bugs that occur during the web browsing experience. In these cases, an attacker would need to convince a user to browse to a specially crafted website. The only real difference is the component where the bug is located. In addition to web browsers, the components include Chakra, Common Controls (comctl32), MSXML, Scripting Engine, ActiveX, and VBScript. There are four VBScript patches in total. Interestingly, two of these are rated Critical while two are rated as Important – despite all four of these bugs having identical descriptions. More than a third of the release is related to the browsing experience somehow, which isn’t really surprising considering this is the last Patch Tuesday prior to Pwn2Own Vancouver. Browsers have historically been a popular target at the contest, so it’s common to see vendors push out as many patches as possible prior to the competition since all targets are fully updated.
March also brings a baker’s dozen info disclosure related patches, mostly in the kernel. Leaking memory through the kernel is typically seen in sandbox escapes. Several security feature bypasses are addressed in this month’s release as well. The most interesting one involves a bug that add extraneous SSH public keys in Azure due to a provisioning logic error during the creation of virtual machines. The exact scenario needed to end up in this situation definitely seems like a corner case, so the bug earns its Moderate rating. Still, might be worth poking your authorized_keys file to see what’s there.
The Windows Subsystem for Linux receives patches for five separate EoPs. There’s a spoofing bug for Skype for Business, but the end result is cross-site scripting (XSS), so lump that in with the other XSS bugs for Team Foundation Server and SharePoint. Rounding out the release are a trio of denial-of-service bugs for Hyper-V.
This month’s advisories begin with another update to ADV990001, which provides the latest servicing stack updates for supported Windows versions. Advisory ADV190010 provides Best Practices Regarding Sharing of a Single User Account Across Multiple Users. In a word: don’t. However, if you must, the advisory details how that can be done. It should also be noted that Microsoft clearly states, “There is no security boundary between sessions using the same user account on the same Windows client or server.” Really, if you have a solution requiring this, it’s time for a new solution. Advisory ADV190009 provides SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1. You can review this page to see the full timeline for this ability to reach the other OSes. Finally, the fourth advisory for this month is Microsoft’s version of the patch for Flash in Internet Explorer, which only contains defense-in-depth fixes for March.
Looking Ahead
The next patch Tuesday falls on April 9, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!