By SophosLabs Offensive Security Research
Microsoft released their monthly security updates for March this past Tuesday. This month’s fixes address 64 vulnerabilities that affect Windows and a range of software that runs on Windows, mainly the Internet Explorer and Edge browsers. In addition, there was a patch released for one critical vulnerability in Adobe Flash.
Among the 64 vulnerabilities in Microsoft products, 18 are categorized by Microsoft as critical, 45 as important, 1 as moderate and 1 as low this month. Almost all of the critical vulnerabilities allow an attacker to execute remote code on the targeted system, while one can be used to elevate privileges on the infected machine. Through a successful social engineering attack (either with a malicious website or Office documents), an external attacker could fully compromise a targeted user’s machine.
There are seven critical vulnerabilities for Edge, two for Internet Explorer, one remote code injection in MS XML, and the rest are for Windows components such as VBScript engine, DHCP Client, ActiveX or the TFTP Server. Even is classified as important and not critical, the two vulnerabilities affecting Win32k have been exploited in the wild.
Let’s have a closer look at some of the interesting vulnerabilities.
CVE-2019-0797, CVE-2019-0808 Win32k Elevation of Privilege
The Win32k driver is affected by a race condition that could allow an attacker to achieve elevation of privilege on a Windows 7 64bit machine. There is also a NULL page dereference issue that could also be used to achieve elevation of privilege but on a Windows 32bit machine, because the NULL page allocation is not allowed on 64bit systems and has been disabled by default since Windows 8. These two vulnerabilities have been spotted in the wild.
CVE-2019-0755, CVE-2019-0767, CVE-2019-0775 Windows Kernel Information Disclosure
These vulnerabilities can be used to read kernel memory and potentially reveal kernel pointers, which can be used to bypass Kernel Address Space Layout Randomization (KASLR). The first one uses the Windows API function NtQueryInformationFile to get information about a handle. In the returned information, there is a kernel pointer.
CVE-2019-0703 Windows SMB Information Disclosure
The NtQueryInformationFile function can be used on named pipe through SMB. Therefore a remote attacker could leverage that vulnerability to get kernel pointer from the targeted system.
Scripting Engine Memory Corruption
CVE-2019-0592, CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771, CVE-2019-0773, CVE-2019-0783
CVE-2019-0612 Microsoft Edge Security Feature Bypass
Normally for a Flash application to run, when the website is not in a whitelist provided by Microsoft, the user has to manually click on the plugin to activate it and run the application. In Microsoft Edge, it is possible to bypass such restriction and automatically run any Flash application from any domain.
CVE-2019-0665, CVE-2019-0666, CVE-2019-0667 Windows VBScript Engine Remote Code Execution
The Windows VBScript engine, that can be invoked from Internet Explorer is affected by a buffer overrun and a couple use after free vulnerabilities that could lead a remote attacker, through a malicious website, to gain control of the targeted Windows 10 machine. The vulnerabilities have not been spotted exploited in the wild yet.
How is Sophos responding to these threats?
Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.
How long does it take to have Sophos detection in place?
We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.
Additional IPS Signatures
What if the vulnerability/0-day you’re looking for is not listed here?
If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.