February 2019 Patch Tuesday: PrivExchange hole plugged

For the February 2019 Patch Tuesday, Microsoft has released fixes for over 70 CVE-numbered vulnerabilities, 20 of which are rated Critical.

Also rated Critical are the Adobe Flash security update (ADV190003, which carries a fix for CVE-2019-7090, an information disclosure flaw in Adobe Flash Player), and the latest servicing stack updates (ADV990001).

Previously disclosed and exploited vulnerabilities

“Two vulnerabilities were publicly disclosed previous to today’s releases,” notes Greg Wiseman, senior security researcher for Rapid7.

“CVE-2019-0686, an elevation of privilege vulnerability in Exchange Server that has now properly been patched. Microsoft had outlined a mitigation in their ADV190007 advisory last week, but is now encouraging administrators to apply the patch and remove the previous workaround. The other, CVE-2019-0636, is an information disclosure vulnerability in Windows that could allow a logged in user to view the contents of files on disk without authorization.”

CVE-2019-0686, the so-called PrivExchange bug, for which proof-of-concept code is available online since last month.

“If exploited, the vulnerability would give an attacker Domain Administrator privileges that would allow them to access domain user credentials. PrivExchange is also addressed by CVE-2019-0724. Given the severity and publicity of the vulnerability, organizations should patch immediately,” says Satnam Narang, senior research engineer at Tenable.

CVE-2019-0676, an Internet Explorer information disclosure vulnerability that could allow an attacker to check disks for the presence of certain files, was spotted being exploited in the wild. To exploit it an attacker would have to convince the victim to visit a malicious website.

Other flaws of prime concern

Eleven of the critical holes plugged are memory corruption vulnerabilities in the Scripting Engine.

This update, along with those for the Edge and Internet Explorer browsers and the Graphics Device Interface (GDI+) should be prioritized for workstation-type devices, says Jimmy Graham, Senior Director of Product Management at Qualys.

CVE-2019-0626, an RCE in Windows DHCP Server, and CVE-2019-0594 and CVE-2019-0604, two critical SharePoint flaws, can also lead to trouble.

The former allows attackers to take over DHCP servers by sending them a specially crafted packet.

“Code execution through a network service that executes with high privileges definitely put this in the wormable category, although it would only be wormable to other DHCP servers. While the Exploit Index (XI) rating for this is lower, there’s no reason to pass on installing this patch once you’ve tested it,” says Trend Micro Zero Day Initiative’s Dustin Childs.

The SharePoint flaws could be exploited by uploading a specially crafted SharePoint application package to execute code in the context of the SharePoint application pool and the SharePoint server farm account.

“While the malicious user would need special rights to perform this action, this patch should be treated as high priority for any SharePoint servers,” Qualys’ Jimmy Graham advises.