Microsoft patched 15 critical vulnerabilities this month as part of its March Patch Tuesday roundup of fixes. In all, the company issued 75 fixes, with 61 rated important. Products receiving the most urgent patches included Microsoft browsers and browser-related technologies such as the company’s JavaScript engine Chakra.
In all 21 browser-related fixes were rolled out by Microsoft, 14 of which are rated critical and the remaining seven ranked important. Of the bugs, “scripting engine memory corruption vulnerabilities” represented 14 of the flaws.
Each of the browser scripting issue allowed adversaries to exploit flaws in the way the browser and Microsoft’s JavaScript engine Chakra handles objects in memory. For example, with CVE-2018-0930, a web-based attacker could rig a website to exploit the vulnerability through Microsoft Edge or run malicious ads on an unsuspecting website to create conditions amenable to an attack.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft wrote. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”
Worse, if a user is logged into a system as an administrator, an attacker could take control of an affected system and install programs, view folder contents and change, or delete data, Microsoft said.
Part of this month’s round of patches also included an additional update for the Meltdown vulnerabilities. Windows 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012 now have mitigations for Meltdown and Spectre.
“The Windows kernel received a lot of attention this month likely due to the ongoing attention on Meltdown and Spectre vulnerabilities. I stopped counting the CVEs after a dozen. Good news is I did not see anything higher than an important rating, but that is a lot of changes in the kernel,” said Chris Goettl, director of product management, security, for Ivanti.
Worth noting are several additional bugs, including an important remote code execution vulnerability (CVE-2018-0886) in Microsoft’s Credential Security Support Provider protocol (CredSSP), used to chain user authentication from one client to another.
“As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote.
A Windows Shell vulnerability (CVE-2018-0883) is also worth highlighting, noted Jimmy Graham, director of product management at Qualys in a Patch Tuesday blog post. The bug is “a remote code execution vulnerability in the Windows Shell. It does require the user to download and open a malicious file in order to exploit it, but this patch should also be prioritized for workstation-type systems,” he wrote.
Office-related bug fixes tied to SharePoint numbered 13, pointed out the Zero Day Initiative team blog. “All of these involve bugs with input sanitization that could allow cross-site scripting (XSS) attacks,” according to ZDI.
“This month also sees multiple Exchange patches, which always tend to make sysadmins nervous. The March release is rounded out by patches for ASP.NET and Windows OS components. Folks with ASP.NET Core applications should definitely take note since some of these bugs could cause those apps to crash,” ZDI said.