Threat Intelligence

1/8/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Remote Code Execution Bugs Are Primary Focus of January Patch Tuesday

This month's security update includes seven patches ranked Critical and one publicly known vulnerability.

Microsoft's first Patch Tuesday update of 2019 primarily tackles remote code execution (RCE) vulnerabilities, with nearly half of 47 total fixes focusing on RCE. Businesses are also urged to apply a December out-of-band Internet Explorer patch after active attacks in the wild.

Seven of the common vulnerabilities and exposures (CVEs) are ranked Critical in severity, 40 are Important, and two are Moderate. The patches and advisories issued today cover Internet Explorer, Microsoft Edge, Windows, Office, Office Services and Web Apps, ChakraCore, Visual Studio, and the .NET Framework.

As pointed out by Dustin Childs of Trend Micro's Zero-Day Institute in a blog post, RCE flaws make up half of CVEs addressed for January 2019. Eleven of these involve the Jet Database Engine. One (CVE-2019-0579) is publicly known and classified as Important in severity; exploiting this vulnerability could let an attacker execute arbitrary code on a victim system, Microsoft reports. This requires user interaction; a target would have to open a specially crafted file for execution.

While only rated as important, the disclosure of this vulnerability means enough information has been released to the public that an attacker could have an easier time developing exploits for the flaw, says Chris Goettl, director of product management for security at Ivanti.

Also highly prioritized is CVE-2019-0547, an RCE vulnerability in the Windows DHCP client. A memory corruption vulnerability exists in the client when an attacker sends specially crafted DHCP responses to a client, Microsoft reports. Successful exploitation would let an adversary execute arbitrary code on the client machine.

"Code execution through a widely available listening service means this is a wormable bug," Childs wrote. "Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable." He noted it's interesting this flaw is in the latest version of Windows but not previous ones, likely because the component was rewritten for newer systems, he added.

"If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list," Childs wrote.

Another Office bug (CVE-2019-0560), found by Mimecast, could enable unintended leakage of data in previously created Office documents and files. While it's tough to use it as a code execution vulnerability, it could be used to harvest data users were unintentionally exposing.

"While it is certainly possible to exploit this vulnerability to execute a remote execution attack, this would require relatively high technical expertise on behalf of the attacker," says Matthew Gardiner, security strategist at Mimecast.

"What is more concerning in the immediate time frame is the potential for previously created Office files to have sensitive content in them without the knowledge of the organization or user that created them," he explains.

Much of the discussion this month revolves around CVE-2018-8653, an out-of-band patch Microsoft issued for an Internet Explorer memory corruption vulnerability in December 2018. The flaw could corrupt memory in such a way that someone could execute arbitrary code in the context of the current user, says Microsoft, and an attacker could gain the same user's rights.

"That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms," says Allan Liska, senior solutions architect at Recorded Future. "If you have not patched this vulnerability yet, it should be the No. 1 priority."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.