March 2019 Patch Tuesday: Microsoft patches two actively exploited Windows flaws

As part of the March 2019 Patch Tuesday, Microsoft has released fixes for 64 CVE-numbered vulnerabilities, 17 of which are rated Critical and 45 Important.

Interestingly enough, none of the two vulnerabilities that are being actively exploited in the wild and of the four listed as being publicly known are rated Critical.

Vulnerabilities exploited in the wild

CVE-2019-0808 and CVE-2019-0797 are both Win32k Elevation of Privilege vulnerabilities under active attack.

The first one was flagged by Clément Lecigne of Google’s Threat Analysis Group and was spotted being exploited in conjunction with a Chrome zero-day use-after-free vulnerability that allowed attackers to escape the Chrome sandbox and perform remote code execution on the underlying operating system.

CVE-2019-0808 was found not to affect Windows 10 – patches have been provided for Windows 7 and Windows Server 2008.

The second one was reported by Kaspersky Labs and it is being used in targeted attacks.

Other vulnerabilities of note

CVE-2019-0603 is an RCE flaw in Windows Deployment Services (WDS) that’s similar to the one recently revealed by Check Point.

“This bug is in the implementation of the TFTP service and not in the TFTP protocol itself,” noted Dustin Childs, director of communications for Trend Micro’s Zero Day Initiative.

“To exploit this bug, an attacker would need to send a specially crafted request to an affected server. If you’re using WDS in your environment, definitely put this one near the top of your test and deployment list.”

Three critical RCE flaws (CVE-2019-0697, CVE-2019-0698, CVE-2019-0726) in the Windows DHCP have also been fixed and the patches should be prioritized for Windows systems as a DHCP client is present on all versions of the OS and exploitation can be performed with no user interaction.

“There would likely need to be a man-in-the-middle component to properly execute an attack, but a successful exploit would have wide-ranging consequences,” Childs pointed out.

Greg Wiseman, senior security researcher for Rapid7, singled out the vulnerabilities of particular interest to developers:

• CVE-2019-0809 (Visual Studio Remote Code Execution Vulnerability, affecting the Visual Studio C++ Redistributable Installer) and
• CVE-2019-0757 (a NuGet Package Manager Tampering Vulnerability, which affects installations on Linux and Mac).

The advisories

Microsoft has also released four advisories:

• ADV990001: Includes the latest servicing stack updates for each operating sytem
• ADV190008: Includes minor security fixes for Adobe Flash Player
• ADV190010: Provides Best Practices Regarding Sharing of a Single User Account Across Multiple Users
• ADV190009: Announces the release of SHA-2 code sign support for Windows 7 SP1, and Windows Server 2008 R2 SP1.

“Without the patches published under the ADV190009 advisory, systems will no longer be able to receive security updates later this year,” Wiseman pointed out.

“Microsoft currently signs their product updates using both the SHA-1 and SHA-2 hash algorithms. Over the last several years, cryptography researchers have found various weaknesses in SHA-1 that make it easier to find ‘collisions’ – opening up the potential for someone to craft a different, potentially malicious update file that looks legitimate to Windows Update. To safeguard against this, Microsoft will start using SHA-2 exclusively after July 2019.”

UPDATE (March 14, 2019, 5:51 a.m. PT):

Qihoo 360 Core researchers have released more details about CVE-2019-0808, as well as PoC exploit code.