Update now! Microsoft’s March 2019 Patch Tuesday is here

If you were among the millions of users who updated Chrome last week to dodge a zero-day exploit, Microsoft has something for you in this month’s Patch Tuesday – a fix for a separate flaw targeting Windows 7 that is being used as part of the same attacks.

To recap, the Chrome flaw (CVE-2019-5786) was first advised on 1 March with a ‘hurry up and apply the update’ follow-up a few days later when news of exploits emerged. The patch for that took Chrome to 72.0.3626.121.

Microsoft’s part of the twofer is a fix for a local elevation of privilege (EoP) vulnerability in Win32k (CVE-2019-0808), which in addition to Windows 7 also affects Window Server 2008.

As Google’s Clement Lecigne pointed out, another way to achieve the same end is for Windows 7 users to upgrade:

As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows.

Zero day 2

Among a total of 64 CVEs, including 17 rated ‘critical’, is a second zero-day affecting all Windows versions identified as CVE-2019-0797, believed to have been deployed by middle-eastern APT groups. According to Microsoft’s description, that too is an EoP flaw requiring local access:

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

A further four vulnerabilities earn ‘important’ status because they are now in the public domain, namely CVE-2019-0683 (active directory EoP), CVE-2019-0754 (Windows denial-of-service), CVE-2019-0757 (NuGet Package Manager tampering), and CVE-2019-0809 (Visual studio remote code execution/RCE).

from Naked Security – Sophos http://bit.ly/2TSc8r2