Naked Security Naked Security

Update now! Microsoft and Adobe’s February 2019 Patch Tuesday is here

Internet Explorer (IE) may have launched way back in 1995 but nearly a quarter of a century later it’s still creating work for Microsoft and Windows users.

Internet Explorer (IE) may have launched way back in 1995 but nearly a quarter of a century later it’s still creating work for Microsoft and Windows users.

Take February’s Patch Tuesday, a highlight of which is a bona fide IE 10 and 11 zero-day said by Microsoft to be under active exploit by cybercriminals.

Identified as CVE-2019-0676 and marked ‘important’, all patchers have to go on for now is Microsoft’s brief description of what an exploit might look like:

An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website.

That’s not just for IE holdouts either – IE11 is present within all consumer Windows 10 versions for compatibility reasons so all users in this category get it.

Rounding out the legacy IE patching is the critical flaw identified as CVE-2019-0606, a Remote Code Exploit (RCE) vulnerability exploitable by luring a user to a malicious website.

Among its haul of 77 CVE-level security fixes, 20 marked critical, February has four other important-rated flaws that have been publicly disclosed: CVE-2019-0636, CVE-2019-0646, CVE-2019-0647, and the most interesting of all, CVE-2019-0686.

Covered last week by Naked Security, this is the recently-revealed Exchange elevation of privilege flaw dubbed PrivExchange which an attacker could use as part of a chain to elevate an ordinary mailbox account into that of Domain Admin.

Critical flaws

Among the undisclosed criticals is CVE-2019-0626, an RCE in DHCP through which an attacker might take over the server by sending a specially-crafted packet.

Then there’s the pair of critical flaws in SharePoint, CVE-2019-0594 and CVE-2019-0604, both of which would allow an attacker to “run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.”

Two marked important are CVE-2019-0630 and CVE-2019-0633, both RCE flaws in SMBv2 that would allow an attacker to take over a targeted machine. All that stands between these being critical flaws is that attackers would still have to find a way around authentication.

For Windows 10 version 1809, look for build 17763.316 (KB4487044) in Windows Update.

For 1709: https://support.microsoft.com/en-us/help/4486996/windows-10-update-kb4486996

For 1703: https://support.microsoft.com/en-us/help/4487020/windows-10-update-kb4487020

For 1607: https://support.microsoft.com/en-us/help/4487026/windows-10-update-kb4487026

Adobe flaws

This month’s Adobe menu features 75 CVE-level vulnerabilities, all but four of which relate to the different versions of Acrobat/Reader. Of these, 43 are rated ‘critical’.

One already in the public domain is CVE 2019-7089, a Reader flaw discussed in detail by Naked Security that would allow an attacker to exploit the execution of a malicious PDF to steal NTLM hash passwords via an SMB request.

Resembling last April’s CVE-2018-4993 flaw in some respects, there are now two patches for this after guerrilla patching initiative 0patch released an independent fix in advance of Adobe’s, on 12 February.

Updating takes users to 2019.010.20091 for Acrobat/Reader DC, 2017.011.30120 for Acrobat/Reader DC 2017, and 2015.006.30475 for Acrobat/Reader DC 2015.

Adobe does serve one welcome surprise – only ONE fix for Flash, CVE-2019-7090.