1. IT-Security >
  2. Hacking >
  3. The January 2019 Security Update Review


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The January 2019 Security Update Review

RSS Kategorie Pfeil Hacking vom | Quelle: thezdi.com Direktlink öffnen

A new year is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for January 2019

Adobe kicked off the new year by releasing an unscheduled update for Adobe Acrobat and Reader on January 3rd. Unlike most of their unscheduled releases, this one does not address anything being actively exploited. The two critical-rated CVEs it fixes were both reported through the ZDI program. The security bypass reported by ZDI researcher Abdul-Aziz Hariri was the result of a previously released security patch that didn’t quite fix what it intended to fix. The other CVE is a use-after-free (UAF) bug that was fast approaching the 120-day disclosure deadline. Again, neither were publicly known or under active attack at the time of release.

Today, Adobe released additional security patches for Flash, Connect, and Adobe Digital Editions. The Flash patch actually just provides bug fixes and does not address any security bugs. The Connect patch addresses a single CVE correcting a security token exposure. Similarly, the patch for Digital Editions patches one CVE fixing an out of bounds read. None of these issues are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for January 2019 

Microsoft begins 2019 with 49 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, Visual Studio, and the .NET Framework. Of these 49 CVEs, 7 are listed as Critical, 40 are rated Important, and two are rated Moderate in severity. A total of 10 of these CVEs came through the ZDI program. One of these bugs is listed as publicly known at the time of release and none are reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with a disconcerting bug in the Windows DHCP client:

-       CVE-2019-0547 – Windows DHCP Client Remote Code Execution Vulnerability
If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list. A bug in the DHCP client could allow attackers to execute their code on affected systems. Code execution through a widely available listening service means this is a wormable bug. Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable. It’s interesting the vulnerability exists in the latest version of the OS but not previous ones. It’s likely due to the component being re-written for the newer systems. Regardless, definitely put this in your “patch now” category.

-       CVE-2019-0586 – Microsoft Exchange Memory Corruption Vulnerability
This corrects a bug in Exchange that could allow an attacker to take control of an Exchange server just by sending it a specially crafted email. That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do. Microsoft lists this as Important in severity, but taking over an Exchange server by simply sending it an email puts this in the Critical category to me. If you use Exchange, definitely put this high on your test and deploy list.

-       CVE-2019-0550, CVE-2019-0551 – Windows Hyper-V Remote Code Execution Vulnerability
These are two different CVEs, but I grouped them together as they have the same exploit scenario and impact. For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as “remote code execution,” these bugs require an attacker to execute code on the guest OS. At last year’s Pwn2Own, these bugs could have earned up to $250,000 USD for a participant. This year’s event will also likely include large payouts for Hyper-V exploits. Let’s hope we see some bugs like these demonstrated at the contest.

-       CVE-2019-0622 – Skype for Android Elevation of Privilege Vulnerability
Although not as severe as some of the other bugs addressed this month, this patch covers a bug in Skype for Android that could bypass the lock screen. Obviously, an attacker would need physical access to your phone to do this. According to published reports, a fix for this was included in the December 23 release of Skype, so this release is primarily documenting the details. Although Microsoft does not list this as publicly known, the researcher posted a YouTube video demonstrating the vulnerability back on December 31. To get the update, you’ll need to manually access the Google Play store and update the Skype app from there.

Here’s the full list of CVEs released by Microsoft for January 2019.

CVE Title Severity Public Exploit XI - Latest XI - Older Type
CVE-2019-0579 Jet Database Engine Remote Code Execution Vulnerability Important Yes No 3 3 RCE
CVE-2019-0539 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0568 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0567 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0565 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0547 Windows DHCP Client Remote Code Execution Vulnerability Critical No No 1 N/A RCE
CVE-2019-0550 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0551 Windows Hyper-V Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0564 ASP.NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0548 ASP.NET Core Denial of Service Vulnerability Important No No 2 2 EoP
CVE-2019-0566 Microsoft Edge Elevation of Privilege Vulnerability Important No No 1 N/A EoP
CVE-2019-0562 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0543 Microsoft Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0555 Microsoft XmlDocument Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0552 Windows COM Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0571 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0572 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0573 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0574 Windows Data Sharing Service Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0570 Windows Runtime Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0545 ASP.NET Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0560 Microsoft Office Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0559 Microsoft Outlook Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0537 Microsoft Visual Studio Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0561 Microsoft Word Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0536 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0549 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0554 Windows Kernel Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0569 Windows Kernel Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0553 Windows Subsystem for Linux Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0541 Internet Explorer Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2019-0538 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0575 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0576 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0577 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0578 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0580 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0581 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0582 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0583 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0584 Jet Database Engine Remote Code Execution Vulnerability Important No No 3 3 RCE
CVE-2019-0588 Microsoft Exchange Information Disclosure Vulnerability Important No No 2 2 RCE
CVE-2019-0586 Microsoft Exchange Memory Corruption Vulnerability Important No No 1 1 RCE
CVE-2019-0585 Microsoft Word Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0556 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2019-0557 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2019-0558 Microsoft Office SharePoint XSS Vulnerability Important No No 2 2 XSS
CVE-2019-0622 Skype for Android Elevation of Privilege Vulnerability Moderate No No N/A N/A EoP
CVE-2019-0546 Visual Studio Remote Code Execution Vulnerability Moderate No No 2 2 RCE

While there are only seven Critical-rated patches in the bunch, nearly half of this month’s patches correct some form of remote code execution. Eleven of these RCE patches involve the Jet Database Engine. One of these patches is listed as publicly known, but it’s not clear where the information is published. There is user interaction here, as targets need to open a specially crafted file. The Jet Database Engine is something we have a bit of familiarity with, so it’s good to see additional patches for the component.

User interaction is also what lowers severity ratings for RCEs in Office and, unusually, Internet Explorer. While browser bugs are typically browse-and-own, CVE-2019-0541 requires the target to edit a specially crafted file designed to exploit the vulnerability. There’s also patches for more traditional browser bugs in Edge and ChakraCore, but fewer this month than seen in previous months.

In addition to the Exchange bug mentioned above, there’s also an info disclosure bug in Exchange being addressed. This joins info disclosure bugs in other Office components, the Windows kernel, .NET, and the Windows Subsystem for Linux. Most of these will simply leak memory address information, but others could allow attackers to read data from files or details from calendar appointments. The ASP.NET component also has a couple of denial-of-service bugs patched this month. In both cases, a remote unauthenticated attacker could crash an ASP.NET Core web application by sending specially crafted requests.

Rounding out this month’s release are some elevation of privilege bugs in SharePoint and multiple Windows components, most notably the Windows Data Sharing Service, which gets four separate CVEs. For these types of bugs, attackers first need to log on to a system. They would then execute a specially crafted program designed to take advantage of the vulnerability. This is a common tactic for malware to embed itself on a system. SharePoint also gets three patches to address cross-site scripting (XSS) bugs, which also serve as a reminder to developers to always sanitize user input. 

The first advisory released in January is the confusingly named ADV990001, which provides the latest servicing stack updates for supported Windows versions. Although listed as Critical, this usage means that it is a critical update for your system – not a Critical severity bug. Finally, the other advisory for this month is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on February 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!

...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu The January 2019 Security Update Review






Ähnliche Beiträge

  • 1. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 422.31 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 2. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 422.31 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 3. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 422.31 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 4. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 422.31 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 5. The August 2019 Security Update Review vom 399.33 Punkte ic_school_black_18dp
    August is here and it brings with it the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for August 2019 Adobe releas
  • 6. CentOS Blog: CentOS Community Newsletter, August 2019 (#1908) vom 381.86 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, It's been another busy month, but better a few days late than never! If you'd like to help out with the process of putting together the newsletter, please see the Contributing section at the end. We're always looking for help! Re
  • 7. The June 2019 Security Update Review vom 367.16 Punkte ic_school_black_18dp
    June has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for June 2019 This month, Ad
  • 8. The February 2019 Security Update Review vom 337.35 Punkte ic_school_black_18dp
    February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2019
  • 9. The February 2019 Security Update Review vom 337.35 Punkte ic_school_black_18dp
    February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2019
  • 10. The July 2019 Security Update Review vom 333.55 Punkte ic_school_black_18dp
    July has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for July 2019 Adobe released
  • 11. The May 2019 Security Update Review vom 331.06 Punkte ic_school_black_18dp
    May is here and so are the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for May 2019 This month, Ado
  • 12. CentOS Blog: CentOS Pulse Newsletter, May 2019 (#1905) vom 303.67 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter #CentOS15 Yes, we've mentioned this before, but we're still pretty stoked about it. On the 15