It’s a busy Patch Tuesday for Microsoft with a total of 20 critical vulnerabilities addressed in this February’s monthly security bulletin. Four bugs, rated important, were previously publicly known. Worse, Microsoft said a zero-day bug tied to its Internet Explorer browser, also rated important, is being actively exploited in the wild.
The zero-day bug is now patched (CVE-2019-0676) and is identified as an Internet Explorer Information Disclosure vulnerability. According to researchers, an attacker could persuade a user to open a malicious website to exploit the browser flaw.
“This information disclosure vulnerability exists in all currently supported Windows versions. This does require the attacker to be logged on to the system to exploit,” wrote Chris Goettl, director of product management, security, for Ivanti in an analysis of Tuesday’s patch releases.
An additional vulnerability patched by Microsoft, known as a PrivExchange bug, was confirmed last week. The flaw (CVE-2019-0686) is an elevated privilege weakness in Microsoft’s Exchange Server that could allow a remote attacker with a simple mailbox account to gain administrator privileges.
“The ‘PrivExchange’ was publicly disclosed, along with proof-of-concept code, last month,” wrote Satnam Narang, senior research engineer at Tenable in his Patch Tuesday analysis posted to the company’s blog. “If exploited, the vulnerability would give an attacker Domain Administrator privileges that would allow them to access domain user credentials… Given the severity and publicity of the vulnerability, organizations should patch immediately.”
February’s range of bugs covered Microsoft Windows, Office, IE, Edge, .Net Framework, Exchange Server, Visual Studio, Team Foundation Server and Asure IoT SDK Dynamics. A total of 71 bugs were patched with 20 identified as critical, 49 were rated important and four moderate.
“Remote code execution bugs continue to dominate the monthly patch release with nearly half of the bugs this month categorized as an RCE,” wrote Dustin Childs, communications manager for Zero Day Initiative in a blog post. “Quite a few of these are related to the Jet Database Engine and the Access Database. There are two SMB patches that sound scary but are mitigated by the fact that the attacker would need to be authenticated first. Still, insider attacks are definitely a thing. These bugs involve SMBv2, but as a reminder, SMBv1 should be completely disabled on your enterprise by now.”
Goettl said, system administrators should also prioritize a critical Windows Server DHCP remote code execution vulnerability (CVE-2019-0626), which received the highest CVSS score in this month’s release. “This follows last month’s fix of another Windows DHCP Client Remote Code Execution Vulnerability (CVE-2019-0547),” he wrote.