Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/8/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Remote Code Execution Bugs Are Primary Focus of January Patch Tuesday

This month's security update includes seven patches ranked Critical and one publicly known vulnerability.

Microsoft's first Patch Tuesday update of 2019 primarily tackles remote code execution (RCE) vulnerabilities, with nearly half of 47 total fixes focusing on RCE. Businesses are also urged to apply a December out-of-band Internet Explorer patch after active attacks in the wild.

Seven of the common vulnerabilities and exposures (CVEs) are ranked Critical in severity, 40 are Important, and two are Moderate. The patches and advisories issued today cover Internet Explorer, Microsoft Edge, Windows, Office, Office Services and Web Apps, ChakraCore, Visual Studio, and the .NET Framework.

As pointed out by Dustin Childs of Trend Micro's Zero-Day Institute in a blog post, RCE flaws make up half of CVEs addressed for January 2019. Eleven of these involve the Jet Database Engine. One (CVE-2019-0579) is publicly known and classified as Important in severity; exploiting this vulnerability could let an attacker execute arbitrary code on a victim system, Microsoft reports. This requires user interaction; a target would have to open a specially crafted file for execution.

While only rated as important, the disclosure of this vulnerability means enough information has been released to the public that an attacker could have an easier time developing exploits for the flaw, says Chris Goettl, director of product management for security at Ivanti.

Also highly prioritized is CVE-2019-0547, an RCE vulnerability in the Windows DHCP client. A memory corruption vulnerability exists in the client when an attacker sends specially crafted DHCP responses to a client, Microsoft reports. Successful exploitation would let an adversary execute arbitrary code on the client machine.

"Code execution through a widely available listening service means this is a wormable bug," Childs wrote. "Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable." He noted it's interesting this flaw is in the latest version of Windows but not previous ones, likely because the component was rewritten for newer systems, he added.

"If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list," Childs wrote.

Another Office bug (CVE-2019-0560), found by Mimecast, could enable unintended leakage of data in previously created Office documents and files. While it's tough to use it as a code execution vulnerability, it could be used to harvest data users were unintentionally exposing.

"While it is certainly possible to exploit this vulnerability to execute a remote execution attack, this would require relatively high technical expertise on behalf of the attacker," says Matthew Gardiner, security strategist at Mimecast.

"What is more concerning in the immediate time frame is the potential for previously created Office files to have sensitive content in them without the knowledge of the organization or user that created them," he explains.

Much of the discussion this month revolves around CVE-2018-8653, an out-of-band patch Microsoft issued for an Internet Explorer memory corruption vulnerability in December 2018. The flaw could corrupt memory in such a way that someone could execute arbitrary code in the context of the current user, says Microsoft, and an attacker could gain the same user's rights.

"That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms," says Allan Liska, senior solutions architect at Recorded Future. "If you have not patched this vulnerability yet, it should be the No. 1 priority."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...