Microsoft patched a bevy of critical bugs impacting its Edge browser that could allow an attacker to hijack a targeted PC simply by steering a victim to a rigged website harboring specially crafted exploit code. In all, Microsoft tackled four critical Edge vulnerabilities, part of the company’s first 2019 round of Patch Tuesday bug fixes.
Each of the browser bugs are memory corruption vulnerabilities. Three (CVE-2019-0539, CVE-2019-0568, CVE-2019-0567) are tied to Microsoft’s own JavaScript engine called Chakra Scripting Engine. The fourth (CVE-2019-0565) is a remote code execution vulnerability that exists when Edge improperly accesses objects in memory, according to Microsoft.
In total, Microsoft patched 49 vulnerabilities on Tuesday, seven listed as critical, 40 important and two ranked as moderate. Of particular interest is a Jet Database Engine remote code execution vulnerability (CVE-2019-0579) that was publicly known ahead of the patch, but not exploited in the wild.
“A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system,” Microsoft wrote.
According to the Microsoft security bulletin, to exploit the Jet vulnerability an adversary would first have to trick a victim to open a malicious file.
Another notable patch was for a Skype for Android elevation of privilege vulnerability (CVE-2019-0622) that could have allowed hackers to bypass authentication methods and access personal data on an Android device – simply by answering a Skype call to that device. Threatpost reported on the bug on Monday.
“Obviously, an attacker would need physical access to your phone to do this. According to published reports, a fix for this was included in the December 23 release of Skype, so this release is primarily documenting the details. Although Microsoft does not list this as publicly known, the researcher posted a YouTube video demonstrating the vulnerability back on December 31. To get the update, you’ll need to manually access the Google Play store and update the Skype app from there,” wrote Zero Day Initiative in its Patch Tuesday commentary.
Satnam Narang, senior research engineer at Tenable, noted in an email commentary to Threatpost:
“The most noteworthy vulnerability in today’s Microsoft Patch Tuesday release is a remote code execution flaw in the Windows DHCP client (CVE-2019-0547), which is the highest rated CVE this month. In order to exploit the vulnerability, an attacker would need to be able to send a specially crafted DHCP response to its target, allowing them to run arbitrary code on the client machine.”
The bug has a CVSS score of 9.8 and impacts the latest versions of Windows 10 (version 1803) and Windows Server (version 1803).
“There are also multiple elevation of privilege vulnerabilities in the Windows Data Sharing Service that were patched this month,” Narang wrote. “An attacker could use these vulnerabilities to elevate privileges while on an affected system. This follows the public disclosure via Twitter of a zero-day elevation of privilege vulnerability in the Windows Data Sharing service back in October.”
Despite the fact it was not part of this month’s round of patches, Allan Liska, senior solutions architect at Recorded Future, notes much of the attention in the security world is still on the December out of band patch that Microsoft issued for the Internet Explorer Memory Corruption Vulnerability (CVE-2018-8653).
“That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms. If you have not patched this vulnerability yet, it should be the number one priority,” Liska said.