Two zero days being exploited in the wild
Microsoft patches this week include fixes for 18 critical security including remote code execution (RCE) vulnerabilities that impact Windows 10 and Windows Server 2019 and a zero day first spotted by Kaspersky Labs that was being actively exploited in the wild.
For the third month Microsoft has also patched high severity vulns in its Windows DHCP (Dynamic Host Configuration Protocol) client or Windows DHCP Server. The updates came as Patch Tuesday addressed 65 vulnerabilities.
Thirteen of the critical vulnerabilities are for scripting engines and browser components, impacting Microsoft browsers and Office. Along with the Windows DHCP Client issues, there were also patches for an RCE vuln in Windows Deployment Services TFTP Server and Privilege Escalation in Microsoft Dynamics 365.
Microsoft Patches: What to Prioritise
Zero-day vulnerabilities are previously unknown software bugs that can be exploited by attackers to breach a victim’s device and network. The highest profile new exploit uses a vulnerability in Microsoft Windows’ graphic subsystem to achieve local privilege escalation. This provides the attacker with full control over a victim’s computer.
Kaspersky Labs said in a release on Wednesday that it believes the detected exploit could have been used by several threat actors including FruityArmor and the recently discovered, apparently Middle East-based threat group SandCat.
Jimmy Graham, from cloud security specialist Qualys, told Computer Business Review in an emailed statement that alongside the zero day patch the following Microsoft patches should be prioritised to ensure security.
- Browser, Scripting Engine, ActiveX, and MSXML patches should be prioritised for workstation-type devices, meaning any system that is used for email or to access the internet via a browser.
Windows DHCP Client
- The Windows DHCP Client is used across workstations and servers. Deployment of patches to cover the three RCE vulnerabilities should be prioritised for all Windows systems.
Windows Deployment Services TFTP Server
- If you are using Windows Deployment Services, this patch should be prioritised, as exploitation could lead to remote code execution on the affected host.
Microsoft Dynamics 365
- On-prem deployments of Microsoft Dynamics 365 are vulnerable to privilege escalation, and patching for these systems should also be prioritised.
With regard to the DHCP vulnerabilities, Allan Liska, senior solutions architect at Recorded Future said: “To this point Recorded Future has not seen Microsoft’s DHCP vulnerabilities exploited in the wild, as they are often difficult to take advantage of, and the access to do so generally means there are easier ways to deploy malware.”
He added: “Microsoft also released several patches for Microsoft Edge this month, including CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 and CVE-2019-0773. All of these vulnerabilities are ChakraCore scripting engine vulnerabilities…”
A second Win32 kernel privilege escalation vulnerability, CVE-2019-0808, has also been exploited, but no POC exploit code has been released. This vulnerability impacts Windows 7 and Windows Server 2008. In both cases, an attacker would have to have access to the system to exploit the vulnerability, but once they have access and exploit it would give the attacker full control of the system.