Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/12/2019
05:36 PM
Robert Lemos
Robert Lemos
News
50%
50%

Microsoft, Adobe Both Close More Than 70 Security Issues

With their regularly scheduled Patch Tuesday updates, both companies issued fixes for scores of vulnerabilities in their widely used software.

Software makers Microsoft and Adobe both released large updates for their regularly scheduled Patch Tuesday releases today, with each company closing more than 70 security holes in their products.

Among the issues patched by Microsoft are a privilege escalation vulnerability in Microsoft's Exchange server. The vuln allowed a security researcher to combine two other issues, creating an exploit that allows any mail user to become any other user or take control of the domain. The exploit for the flaw is already considered to be in the wild.

"This bug allows a regular user to escalate privileges to any other user on an Exchange server," said Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative. "They could take over an account to send mail as a part of a phishing campaign, or they could just escalate and take over the server. Taking over an Exchange server would be the more likely scenario."

The nearly 150 security issues fixed by the two companies could hint at another banner year for vulnerability research. In 2018, more than 16,500 vulnerabilities were disclosed, up 13 percent from the previous year, according to the National Vulnerability Database.  

The number of security issues that each company patched is large, but not unprecedented, according to Trend Micro's Childs, who noted that the last few Adobe Reader patches have had a similar number of issues. 

"December and January are historically 'light' patch months for Microsoft, so the volume of patches this month isn’t that surprising," he said.

Microsoft patched 47 issues in January and 39 issues in December.

One of the major issues identified by experts is a flaw in Microsoft's DHCP server, which dynamically assigns network addresses to devices when they join a particular network. Such servers use the Dynamic Host Configuration Protocol (DHCP) to assign addresses from a local network subdomain. In a blog post on the updates, Trend Micro added "[i]f you have a DHCP server on your network, and chances are you do, this patch should be at the top of you[r] list."

"Most enterprises will have their DHCP server isolated from the Internet, so that adds some protection," Trend Micro's Childs said. "As far as I know, there are no workarounds for this bug. Patch quickly."

Such servers are ubiquitous, but often the DHCP server is built into networking hardware such as routers. 

Security firm Tenable had the same advice for users of Microsoft's Exchange server.

"If exploited, the vulnerability would give an attacker Domain Administrator privileges that would allow them to access domain user credentials," Satnam Narang, senior research engineer at Tenable, said in a statement. "Given the severity and publicity of the vulnerability, organizations should patch immediately."

Security firm Ivanti recommended that the patches for Microsoft's operating system, browser, and its Office productivity suite be made a priority, as some of the Windows and Internet Explorer flaws are actively being exploited. The company also warned that Adobe Flash, Acrobat and Reader should all be patched quickly, as all are often targeted by attackers for compromise.

Adobe's update patched 71 issues in Adobe's PDF software, Acrobat and Reader, and another four issues in other software, such as Flash and ColdFusion. While the company said it is not aware of any exploitation of the issues, at least one of the vulnerabilities has a detailed technical analysis posted online.

While the number of vulnerabilities publicly reported through bounty programs is typically under 5 percent, almost a quarter of the security issues patched by Adobe were reported through the Zero Day Initiative, according to data from Adobe's advisory. 

"The worst of the bugs fixed could allow an attacker to execute their own code on a target system," ZDI stated on its blog.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...