If you were among the millions of users who updated Chrome last week to dodge a zero-day exploit, Microsoft has something for you in this month’s Patch Tuesday – a fix for a separate flaw targeting Windows 7 that is being used as part of the same attacks.
To recap, the Chrome flaw (CVE-2019-5786) was first advised on 1 March with a ‘hurry up and apply the update’ follow-up a few days later when news of exploits emerged. The patch for that took Chrome to 72.0.3626.121.
Microsoft’s part of the twofer is a fix for a local elevation of privilege (EoP) vulnerability in Win32k (CVE-2019-0808), which in addition to Windows 7 also affects Window Server 2008.
As Google’s Clement Lecigne pointed out, another way to achieve the same end is for Windows 7 users to upgrade:
As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows.
Zero day 2
Among a total of 64 CVEs, including 17 rated ‘critical’, is a second zero-day affecting all Windows versions identified as CVE-2019-0797, believed to have been deployed by middle-eastern APT groups. According to Microsoft’s description, that too is an EoP flaw requiring local access:
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
A further four vulnerabilities earn ‘important’ status because they are now in the public domain, namely CVE-2019-0683 (active directory EoP), CVE-2019-0754 (Windows denial-of-service), CVE-2019-0757 (NuGet Package Manager tampering), and CVE-2019-0809 (Visual studio remote code execution/RCE).
That makes March the third Patch Tuesday in a row with at least one DHCP critical vulnerability. As the flaws are RCEs, this is potentially a big deal because every Windows computer runs this software.
Other criticals include CVE-2019-0763 affecting Internet Explorer, one of around a dozen flaws affecting the defunct browser with about the same number affecting its replacement, Edge. Indeed, around a third of the update has some bearing on browsers, including no fewer than seven marked as Scripting Engine memory corruptions.
This prominence might have something to do with the fact that the annual Pwn2Own contest at CanSecWest happens in March where researchers vie to find security flaws in software, particularly browsers.
A new tweak this month will see Windows automatically roll back updates that cause problems that can’t be resolved by other recovery methods, in which case users will receive the message:
We removed some recently installed updates to recover your device from a startup failure.
These won’t be installed for 30 days to give Microsoft time to work out what went wrong, after which it will attempt to install them again. This relates to all updates and not only ones that arrive as part of Patch Tuesday.
After all the excitement for Reader and ColdFusion since the last Patch Tuesday, Adobe has an uncharacteristically quiet month with security advisories for only two products, Adobe Digital Editions, and Photoshop CC.