Threat Research

Microsoft released their monthly security updates for March this past Tuesday. This month’s fixes address 64 vulnerabilities that affect Windows and a range of software that runs on Windows, mainly the Internet Explorer and Edge browsers. In addition, there was a patch released for one critical vulnerability in Adobe Flash.

Among the 64 vulnerabilities in Microsoft products, 18 are categorized by Microsoft as critical, 45 as important, 1 as moderate and 1 as low this month. Almost all of the critical vulnerabilities allow an attacker to execute remote code on the targeted system, while one can be used to elevate privileges on the infected machine. Through a successful social engineering attack (either with a malicious website or Office documents), an external attacker could fully compromise a targeted user’s machine.

There are seven critical vulnerabilities for Edge, two for Internet Explorer, one remote code injection in MS XML, and the rest are for Windows components such as VBScript engine, DHCP Client, ActiveX or the TFTP Server. Even is classified as important and not critical, the two vulnerabilities affecting Win32k have been exploited in the wild.

Let’s have a closer look at some of the interesting vulnerabilities.

CVE-2019-0797, CVE-2019-0808 Win32k Elevation of Privilege

The Win32k driver is affected by a race condition that could allow an attacker to achieve elevation of privilege on a Windows 7 64bit machine. There is also a NULL page dereference issue that could also be used to achieve elevation of privilege but on a Windows 32bit machine, because the NULL page allocation is not allowed on 64bit systems and has been disabled by default since Windows 8. These two vulnerabilities have been spotted in the wild.

CVE-2019-0755, CVE-2019-0767, CVE-2019-0775 Windows Kernel Information Disclosure

These vulnerabilities can be used to read kernel memory and potentially reveal kernel pointers, which can be used to bypass Kernel Address Space Layout Randomization (KASLR). The first one uses the Windows API function NtQueryInformationFile to get information about a handle. In the returned information, there is a kernel pointer.

CVE-2019-0703 Windows SMB Information Disclosure

The NtQueryInformationFile function can be used on named pipe through SMB. Therefore a remote attacker could leverage that vulnerability to get kernel pointer from the targeted system.

Scripting Engine Memory Corruption

CVE-2019-0592, CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771, CVE-2019-0773, CVE-2019-0783

The JavaScript engine of the Edge and Internet Explorer web browsers, have multiple type confusion, use after free and out of bound write vulnerabilities that could lead a remote attacker, through a malicious website, to gain control of the targeted Windows 10 machine. The vulnerabilities have not been spotted exploited in the wild yet.

CVE-2019-0612 Microsoft Edge Security Feature Bypass

Normally for a Flash application to run, when the website is not in a whitelist provided by Microsoft, the user has to manually click on the plugin to activate it and run the application. In Microsoft Edge, it is possible to bypass such restriction and automatically run any Flash application from any domain.

CVE-2019-0665, CVE-2019-0666, CVE-2019-0667 Windows VBScript Engine Remote Code Execution

The Windows VBScript engine, that can be invoked from Internet Explorer is affected by a buffer overrun and a couple use after free vulnerabilities that could lead a remote attacker, through a malicious website, to gain control of the targeted Windows 10 machine. The vulnerabilities have not been spotted exploited in the wild yet.

How is Sophos responding to these threats?

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.

CVE SAV IPS Intercept-X
CVE-2019-0592 Exp/20190592-A 9000836 N/V
CVE-2019-0609 Exp/20190609-A 9000837 N/V
CVE-2019-0680 Exp/20190680-A 9000842 N/V

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

Additional IPS Signatures

CVE
Signature
CVE-2019-0612 9000838
CVE-2019-0639 9000839
CVE-2019-0665 9000840
CVE-2019-0666 46554
CVE-2019-0667 9000841
CVE-2019-0763 36991
CVE-2019-0767 9000843
CVE-2019-0768 9000844
CVE-2019-0769 2200885
CVE-2019-0770 9000845
CVE-2019-0771 9000846
CVE-2019-0773 9000847

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.