Get these patches installed first…
Microsoft has released updates for Microsoft Windows, Office, IE, Edge, .Net Framework, Exchange Server, Visual Studio, Team Foundation Server, Asure IoT SDK, Dynamics, and Flash Player on patch Tuesday, resolving a total of 74 unique CVEs this month including arguably three public disclosures and one actively exploited zero-day vulnerability, writes Chris Goettl, Director of Product Management, Security at Ivanti.
A privilege escalation proof-of-concept for Microsoft Exchange Server was disclosed in January by a security researcher. Mollema dubbed his proof-of-concept “PrivExchange” and documents multiple components of Exchange Server and NTLM that together would allow an attacker to perform a man-in-the-middle attack that would allow them to elevate privileges on the Exchange Server to a Domain Admin.
This would effectively allow an attacker to elevate their privilege level to Domain Admin or grant the attacker access to other users’ inboxes. Microsoft had released an advisory outlining mitigation steps that could be taken to reduce risk until an update could be made available (ADV190007).
Microsoft has also released updates for Exchange Server resolving two CVEs.
The first, CVE-2019-0686, resolves the Exchange Web Services contract between EWS clients and Exchange to not allow authenticated notifications. Instead it would make these notifications anonymous so the attacker could not gain access to another user’s mailbox.
The second, CVE-2019-0724, resolves the vulnerability that could allow an attacker to gain Domain Admin privileges on the domain controller. This is similar to a man-in-the-middle attack, but in this case the attacker forwards an authentication request to a Microsoft Active Directory domain controller, gaining increased privileges on the domain controller.
This change will also modify permissions in your Exchange configuration. The changes will differ depending on which version of Exchange server you are running, and if you are on Exchange Server 2010 you will need to take additional manual steps to make changes to permissions. Details on what changes were made to each edition and how to make the 2010 changes are described in KB4490059.
Microsoft has also resolved a publicly disclosed vulnerability (CVE-2019-0636) in Microsoft Windows that could allow an attacker to read the contents of files on disk. This Information Disclosure vulnerability exists in all currently supported Windows versions. The vulnerability requires the attacker to be logged on to the system to exploit.
The last item of note on the Microsoft side this month is a zero-day exploit in Internet Explorer (CVE-2019-0676) that is actively being exploited to allow an attacker to read the contents of files on disk. In this case the attacker can persuade a user to open a malicious website to exploit the vulnerability.
Adobe released four product updates on February Patch Tuesday, resolving a total of 75 unique vulnerabilities. Adobe Flash Player resolved one Important vulnerability this month, which is less severe than previous months, but it’s still a good idea to make updates quickly as Flash is a highly targeted application for attackers to exploit. Adobe Acrobat and Reader (APSB19-07) is the greater concern this month. The update resolves 71 CVEs, most of which are rated as Critical.
Ivanti recommendations for February Patch Tuesday:
- Microsoft OS, browser and Office updates should be a priority. Especially important are the OS and IE with actively exploited and publicly disclosed vulnerabilities being resolved.
- Microsoft Exchange Server should be a priority. All versions are potentially vulnerable to the Privilege Escalation vulnerabilities which have working proof-of-concept code available to the public. An attacker could gain Domain Admin rights to a domain controller or access to a user’s mailbox.
Adobe Flash, Acrobat, and Reader should be a priority. Flash is highly targeted so even though the CVE resolved is rated as Important, it is low hanging fruit. Acrobat and Reader have a large number of Critical CVEs resolved. There are lots of possible ways for an attacker to take advantage so it’s best to get these plugged quickly.