By SophosLabs Offensive Research
Earlier this month, Microsoft released their first Patch Tuesday update of 2019. For some users, these patches are still rolling out. The update includes fixes for 48 security vulnerabilities found in Windows and other Microsoft products.
None of the fixed vulnerabilities are reported to have been exploited in the wild.
Of these, 13 are remote code execution vulnerabilities affecting Office applications (Word, Visual Studio, and the Jet Database Engine used in Office suite apps).
A total of 10 of the fixed vulnerabilities allow for elevation of privilege, a vulnerability class that allows an attacker with initial access to a system to gain more control over it.
Another 5 remote code executions vulnerabilities affect the two Microsoft web browsers, Edge and Internet Explorer.
It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-01” at the Microsoft Update Catalog website.
Here are some more details about a few of the more notable vulnerabilities:
Windows DHCP Client
Microsoft fixed a critical remote code execution bug, designated CVE-2019-0547.
This one was found by Microsoft internal bug hunters; no specific details were provided, but this vulnerability is notable because DHCP clients are on every Windows machine, operating as headless network services. Microsoft must have thought so, as well, since it has a high Base CVSS score given to it by Microsoft: 9.8, which rates it severe enough to merit immediate attention.
One might speculate that a DHCP client vulnerability potentially opens the system to being compromised when the victim connects to a rogue network (a hypothetical malicious public WiFi), or, possibly, if an infected machine acts as a malicious DHCP server. An attack of this nature is highly likely to occur without it being visible to, or requiring any interaction from, the user.
Edge Web Browser
Internet Explorer MSHTML Engine
The company fixed a bug, rated “Important” (CVE-2019-0541), that allows attackers to run remote code on the victim’s machine. The exploit takes advantage of a built-in Microsoft Office component in Internet Explorer, if two conditions are met: the victim visits a malicious website, and the victim interacts with the browser’s menu bar. If this is anything like other Office exploits, the “interaction” may be to dismiss or disable a security warning dialog, but we don’t know.
The company fixed two critical bugs (CVE-2019-0550 and CVE-2019-0551) that could result in a VM “escape” situation, where code on a guest virtual machine could jump out onto the host machine it’s running on.
Virtual machines are often used to create segregated virtual environments where unsafe programs can be run without the risk of them having any effect on the host machine, so this is troubling for those who use Hyper-V for this purpose. Chinese security company 360 Qihoo claimed credit for reporting a Hyper-V escape bug to Microsoft, netting the researcher a $200,000 bug bounty. Not a bad payout! Microsoft’s Bug Bounty Program offers rewards for bugs in Hyper-V that are among the highest the company will pay.
How is Sophos responding to these threats?
Sophos has released following detection to address the vulnerabilities mentioned above. Please note that additional vulnerabilities and corresponding detection may be released in the future.
N/V = Not Validated. The proof-of-concept code provided with MAPP advisories does not include active exploits, and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach, which we can’t target until we spot it in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks
TBA = to be added.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. Please note that some detection might not be available due to the availability of the data.
It is mostly not possible to test with Intercept-X due to the nature of the data we receive.