Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/8/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Remote Code Execution Bugs Are Primary Focus of January Patch Tuesday

This month's security update includes seven patches ranked Critical and one publicly known vulnerability.

Microsoft's first Patch Tuesday update of 2019 primarily tackles remote code execution (RCE) vulnerabilities, with nearly half of 47 total fixes focusing on RCE. Businesses are also urged to apply a December out-of-band Internet Explorer patch after active attacks in the wild.

Seven of the common vulnerabilities and exposures (CVEs) are ranked Critical in severity, 40 are Important, and two are Moderate. The patches and advisories issued today cover Internet Explorer, Microsoft Edge, Windows, Office, Office Services and Web Apps, ChakraCore, Visual Studio, and the .NET Framework.

As pointed out by Dustin Childs of Trend Micro's Zero-Day Institute in a blog post, RCE flaws make up half of CVEs addressed for January 2019. Eleven of these involve the Jet Database Engine. One (CVE-2019-0579) is publicly known and classified as Important in severity; exploiting this vulnerability could let an attacker execute arbitrary code on a victim system, Microsoft reports. This requires user interaction; a target would have to open a specially crafted file for execution.

While only rated as important, the disclosure of this vulnerability means enough information has been released to the public that an attacker could have an easier time developing exploits for the flaw, says Chris Goettl, director of product management for security at Ivanti.

Also highly prioritized is CVE-2019-0547, an RCE vulnerability in the Windows DHCP client. A memory corruption vulnerability exists in the client when an attacker sends specially crafted DHCP responses to a client, Microsoft reports. Successful exploitation would let an adversary execute arbitrary code on the client machine.

"Code execution through a widely available listening service means this is a wormable bug," Childs wrote. "Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable." He noted it's interesting this flaw is in the latest version of Windows but not previous ones, likely because the component was rewritten for newer systems, he added.

"If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list," Childs wrote.

Another Office bug (CVE-2019-0560), found by Mimecast, could enable unintended leakage of data in previously created Office documents and files. While it's tough to use it as a code execution vulnerability, it could be used to harvest data users were unintentionally exposing.

"While it is certainly possible to exploit this vulnerability to execute a remote execution attack, this would require relatively high technical expertise on behalf of the attacker," says Matthew Gardiner, security strategist at Mimecast.

"What is more concerning in the immediate time frame is the potential for previously created Office files to have sensitive content in them without the knowledge of the organization or user that created them," he explains.

Much of the discussion this month revolves around CVE-2018-8653, an out-of-band patch Microsoft issued for an Internet Explorer memory corruption vulnerability in December 2018. The flaw could corrupt memory in such a way that someone could execute arbitrary code in the context of the current user, says Microsoft, and an attacker could gain the same user's rights.

"That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms," says Allan Liska, senior solutions architect at Recorded Future. "If you have not patched this vulnerability yet, it should be the No. 1 priority."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...