Hefty patch Tuesday checks in at just under 100 CVEs
Updated A pair of actively-targeted Windows flaws highlight this month’s edition of Redmond’s Patch Tuesday, the monthly moment when admins sigh and determine what to fix..
For Microsoft, the monthly flaw folder fixes for a total of 74 CVE-listed security bugs in Windows and Office. Of those, 33 are flaws which, if exploited, would allow the attacker to achieve remote code execution.
As usual, most of the remote code execution flaws were spotted in the browser and scripting engines. Those include XML flaws (CVE-2019-0791, CVE-2019-0792, CVE-2019-0793) and half a dozen remote code flaws in the Chakra Scripting Engine. In each case, an attacker would target the vulnerability with a specially-crafted webpage.
Of the other flaws, experts are advising users and administrators to prioritize two fixes for bugs currently being targeted in the wild. CVE-2019-0803 and CVE-2019-0859 are a pair of elevation of privilege vulnerabilities in Win32k. Both require the attacker to already have access to the vulnerable PC, so you’re really just seeing a bad situation get worse if this exploit is used.
“These bugs allow an attacker to elevate privileges and take over a system after they have access to that system,” said Dustin Childs of the Trend Micro ZDI.
“There’s not much info on how these bugs are being used, but targeted malware seems the most likely source.”
Also catching the eye of ZDI researchers was CVE-2019-0856, a remote code execution flaw in Windows that, oddly, also requires the attacker to be logged in and already running code on the vulnerable PC.
“The title lists this as Remote Code Execution, but the description indicates an attacker would need to log on to a system to exploit the bug,” Childs noted.
A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole
“Either way, considering it affects all supported Windows versions and that it was fixed by ‘correcting how Windows handles objects in memory,’ – this patch should definitely not be missed.”
Office also received fixes for a number of remote code execution flaws, including four in the Office Access Connectivity Engine, a component of Jet Database.
Microsoft argues that Office RCE’s are less of a risk than those in the browser, as they require the victim to actually open the attack file (rather than simply visit a webpage.) Still, given how haphazardly users will open Office documents, admins would be wise to prioritize those updates.
Adobe, meanwhile, has kicked out updates for Acrobat and Reader that address 21 remote code execution flaws in the PDF app.
Flash Player also got an update this month, though that patch only deals with two CVE-listed vulnerabilities that would allow remote code execution. Adobe said it has not received any word of active exploits targeting any of the bugs. ®
Updated to add
Late to the patch party came SAP.
For SAP, the month brings 11 security updates including a high-priority fix for an XML external entity (XXE) vulnerability in HANA. Security house Onapsis, whose researchers took credit for discovering the flaw, said the flaw is actually present in a number of SAP products, with HANA being that last to get the fix after NetWeaver and ABAP.
“Special attention should be paid to this critical vulnerability for its likelihood to be used in a targeted attack, based on its ease of exploitability and the potential negative impact to business continuity,” Onapsis says https://www.onapsis.com/blog/sap-patch-notes-april-2019 of the bug.
“If not patched, the vulnerability would allow an attacker to remotely access critical files from the server and steal any web app custom code.”