Microsoft Patches Zero-Day Bug Under Active Attack

Microsoft Patch Tuesday security bulletin tackles 22 critical vulnerabilities.

Microsoft has released a patch for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild.

The bug fix is part of Microsoft’s May Patch Tuesday Security Bulletin. It’s tied to the Windows Error Reporting feature and is being abused by attackers who have gained local access to affected PCs. They are able to trigger arbitrary code-execution in kernel mode — resulting in a complete system compromise.

“They would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from ‘user’ to ‘admin’ code execution,” wrote Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, in a blog post on Tuesday. “While details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets.”

The bug (CVE-2019-0863) is one of 80 vulnerabilities patched Tuesday, including 22 rated critical and 57 identified as important in severity.

Microsoft additionally gave guidance on mitigating against the just-announced Intel flaws called Microarchitectural Data Sampling vulnerabilities. Microsoft has released software updates to help mitigate the side-channel problems, which open the door to four different attack vectors, dubbed ZombieLoad, Fallout, RIDL (Rogue In-Flight Data Load) and Store-to-Leak Forwarding.

“To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services,” Microsoft wrote.

Among the other critical bugs patched, system administrators are urged to immediately deploy fixes for a Remote Desktop Services remote code-execution vulnerability (CVE-2019-0708).

The bug is notable for a number of reasons. One, it’s “wormable” flaw and has the potential to be exploited in a fast-moving malware attack similar to WannaCry. As a testament to its potential for havoc, Microsoft has also gone the extra step in deploying patches to Windows XP and Windows 2003 for the bug, neither of which is still supported via monthly Patch Tuesday updates.

“An unauthenticated attacker targeting vulnerable systems with Remote Desktop Protocol enabled could exploit this flaw to gain remote code-execution,” wrote Satnam Narang, senior research engineer at Tenable. “It is highly likely that this vulnerability will be exploited in the wild in the near future, as attackers develop exploit code.”

“This [bug] would have the potential of a global WannaCry-level event,” added Chris Goettl, director of product management for security at Ivanti. “What’s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn’t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.”

Researchers identified an additional critical bug (CVE-2019-0725), which applies to Windows DHCP Server and can also lead to remote code-execution.

“Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability,” wrote Qualys in its Patch Tuesday analysis. “This patch should be prioritized for any Windows DHCP implementations.”

A similar vulnerability in the DHCP Server was patched in February, and the DHCP Client was patched for a separate vulnerability in March.

In all, the Microsoft updates this month fixed a range of products including Windows, Office, Office 365, Sharepoint, .Net Framework, SQL Server and even Skype for Android.

Regarding the latter, “there is a publicly disclosed vulnerability (CVE-2019-0932) in Skype for Android that could allow for information disclosure,” Goettl said. “An attacker could use the exploit to listen to a conversation of a Skype for Android user without their knowledge.”

Also on Tuesday, Adobe issued patches for 87 vulnerabilities – the bulk of which exist in Adobe’s Acrobat and Reader product.

And, Apple this week rolled out 173 patches across in various products across its hardware portfolio, including for dangerous bugs in macOS for laptops and desktops, iPhone, Apple TV and Apple Watch. The fixes also addressed the Intel side-channel attacks.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles