Rappel Constructeur Microsoft
Threat Research

DHCP, Edge, Office, Hyper-V Receive Critical New Year Updates

Just connecting to a (malicious) wireless network could lead to Bad Things Happening, but none of the patched bugs have been seen in the wild (yet!)

Earlier this month, Microsoft released their first Patch Tuesday update of 2019. For some users, these patches are still rolling out. The update includes fixes for 48 security vulnerabilities found in Windows and other Microsoft products.

None of the fixed vulnerabilities are reported to have been exploited in the wild.

Of these, 13 are remote code execution vulnerabilities affecting Office applications (Word, Visual Studio, and the Jet Database Engine used in Office suite apps).

A total of 10 of the fixed vulnerabilities allow for elevation of privilege, a vulnerability class that allows an attacker with initial access to a system to gain more control over it.

Another 5 remote code executions vulnerabilities affect the two Microsoft web browsers, Edge and Internet Explorer.

It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-01” at the Microsoft Update Catalog website.

Here are some more details about a few of the more notable vulnerabilities:

Windows DHCP Client

Microsoft fixed a critical remote code execution bug, designated CVE-2019-0547.

This one was found by Microsoft internal bug hunters; no specific details were provided, but this vulnerability is notable because DHCP clients are on every Windows machine, operating as headless network services. Microsoft must have thought so, as well, since it has a high Base CVSS score given to it by Microsoft: 9.8, which rates it severe enough to merit immediate attention.

One might speculate that a DHCP client vulnerability potentially opens the system to being compromised when the victim connects to a rogue network (a hypothetical malicious public WiFi), or, possibly, if an infected machine acts as a malicious DHCP server. An attack of this nature is highly likely to occur without it being visible to, or requiring any interaction from, the user.

Edge Web Browser

Important updates to Edge include fixes for four critical bugs. Three of the vulnerabilities (CVE-2019-0539, CVE-2019-0567, CVE-2019-0568) affect Edge’s Chakra JavaScript engine, and one (CVE-2019-0565) impacts the EdgeHTML layout engine. A remote attacker, running a malicious website, could exploit any of these to gain control of a Windows machine unlucky enough to browse to it.

Internet Explorer MSHTML Engine

The company fixed a bug, rated “Important” (CVE-2019-0541), that allows attackers to run remote code on the victim’s machine. The exploit takes advantage of a built-in Microsoft Office component in Internet Explorer, if two conditions are met: the victim visits a malicious website, and the victim interacts with the browser’s menu bar. If this is anything like other Office exploits, the “interaction” may be to dismiss or disable a security warning dialog, but we don’t know.

Hyper-V

The company fixed two critical bugs (CVE-2019-0550 and CVE-2019-0551) that could result in a VM “escape” situation, where code on a guest virtual machine could jump out onto the host machine it’s running on.

Virtual machines are often used to create segregated virtual environments where unsafe programs can be run without the risk of them having any effect on the host machine, so this is troubling for those who use Hyper-V for this purpose. Chinese security company 360 Qihoo claimed credit for reporting a Hyper-V escape bug to Microsoft, netting the researcher a $200,000 bug bounty. Not a bad payout! Microsoft’s Bug Bounty Program offers rewards for bugs in Hyper-V that are among the highest the company will pay.

How is Sophos responding to these threats?

Sophos has released following detection to address the vulnerabilities mentioned above.   Please note that additional vulnerabilities and corresponding detection may be released in the future.

CVE SAV IPS Intercept-X
CVE-2019-0539 sid:9000798 N/V
CVE-2019-0541 TBA sid:9000800, sid:9000799 N/V
CVE-2019-0565 sid:9000801 N/V
CVE-2019-0567 TBA sid:9000802 N/V
CVE-2019-0568 sid:9000754 N/V

 

N/V = Not Validated. The proof-of-concept code provided with MAPP advisories does not include active exploits, and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach, which we can’t target until we spot it in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks

TBA = to be added.

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.

It is mostly not possible to test with Intercept-X due to the nature of the data we receive.

Leave a Reply

Your email address will not be published. Required fields are marked *