The February 2019 Security Update Review

February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for February 2019

For this month, Adobe released updates for Acrobat and Reader, Flash, Cold Fusion, and the Adobe Creative Cloud Desktop Application. The Critical-rated Acrobat and Reader update addresses 71 CVEs, 17 of which came through the ZDI program. One of these CVEs, CVE 2019-7089, was publicly known at the time of release. The worst of the bugs fixed could allow an attacker to execute their own code on a target system. The patch for Cold Fusion is also Critical but only addresses two CVEs. The worst of these bugs could allow code execution through the deserialization of untrusted data.

The update for Flash is also rated Important and fixes only one CVE, which was submitted anonymously through the ZDI program. This bug allows an info disclosure through and out-of-bounds read on affected systems. The patch for the Creative Cloud Desktop Application also fixes one Important severity CVE. A DLL hijacking bug is corrected by the patch. None of these bugs are known to be under active attack at the time of release.

Microsoft Patches for February 2019

For February, Microsoft released security patches for 77 CVEs along with three new advisories. The patches cover Internet Explorer (IE), Edge, Exchange Server, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services and the .NET Framework. Of these 74 CVEs, 20 are rated Critical, 54 are rated Important, and three are rated Moderate in severity. A total of 21 of these CVEs came through the ZDI program. Four of these bugs are listed as public and one is listed as being under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with a publicly disclosed Exchange bug: 

-       CVE-2019-0686 – Microsoft Exchange Server Elevation of Privilege Vulnerability
This is one of the publicly known bugs for this month and was the subject of the ADV190007 advisory. It corrects an elevation of privilege in Exchange that allows an attack to relay NTLM credentials and take over and the server. The bug was initially disclosed via a blog post from a Fox-IT researcher. It pivots off a previous bug reported through the ZDI program that was addressed via a registry key rather than a patch. This topic has been widely discussed over the past few weeks, so it would not be surprising to see active attacks using this bug. Definitely view this as one of your high priority patches to test and deploy this month.

-       CVE-2019-0626 – Windows DHCP Server Remote Code Execution Vulnerability
If you have a DHCP server on your network, and chances are you do, this patch should be at the top of you lists. The bug allows attackers to take over your DHCP server just by sending it a specially crafted packet. Code execution through a network service that executes with high privileges definitely put this in the wormable category, although it would only be wormable to other DHCP servers. While the Exploit Index (XI) rating for this is lower, there’s no reason to pass on installing this patch once you’ve tested it.

-       CVE-2019-0594, CVE-2019-0604 – Microsoft SharePoint Remote Code Execution Vulnerability
SharePoint bugs don’t tend to be Critical, but these two certainly meet the requirements. An attacker code upload a specially crafted SharePoint application package to execute their code in the context of the SharePoint application pool and the SharePoint server farm account. Splitting websites over application pools generally allows for more rigid security between the sites. These bugs would negate that advantage.

-       CVE-2019-0676 – Internet Explorer Information Disclosure Vulnerability
This patch corrects the one bug listed as under active attack for February. An attacker could use this to check for files on a target system if a user browses to a specially crafted website. Microsoft doesn’t list how this bug is being exploited in the wild, but it’s likely restricted to targeted attacks. Considering Microsoft now lists IE as “a compatibility solution” rather than a browser, now is a good time to figure out your upgrade strategy.

Here’s the full list of CVEs released by Microsoft for February 2019.

Other patches for this month include another Exchange bug, which also involves relaying NTLM authentication. This one was not listed as public though. There are two Critical-rated RCE bugs in GDI+, which used to be a servicing nightmare due to the wide variety of products that included the component. Fortunately, GDI+ bugs now require only an OS patch. Rounding out the Critical bugs are 15 browse-and-own vulnerabilities affecting IE, Edge, and ChakraCore.

Remote code execution bugs continue to dominate the monthly patch release with nearly half of the bugs this month categorized as an RCE. Quite a few of these are related to the Jet Database Engine and the Access Database. There are two SMB patches that sound scary but are mitigated by the fact that the attacker would need to be authenticated first. Still, insider attacks are definitely a thing. These bugs involve SMBv2, but as a reminder, SMBv1 should be completely disabled on your enterprise by now.

There are a handful of Security Feature Bypass (SFB) bugs, including one in Edge that could allow Adobe Flash to automatically load without user interaction. The three SFBs in Windows all deal with Device Guard and bypassing the User Mode Code Integrity (UMCI) policy. Bypassing this allows attackers to run their own code on an otherwise locked down system. There’s an interesting bypass of the Windows Defender Firewall profile for cellular networks, but there’s no way to trigger the bypass remotely. It’s good to see Microsoft fix it anyway. 

There are quite a few information disclosure bugs being addressed this month. Considering how many applications run in some form of a sandbox, patching these types of bugs that leak memory contents makes sandbox escapes more difficult. The Azure IoT Java SDK gets a couple of patches to address an EoP and an info disclosure bug that involves logging sensitive data. Team Foundation Server gets a few patches to address XSS bugs and an info disclosure bug. Two of the XSS bugs are listed as publicly known but not under active attack. Finally, rounding out the release are three Spoofing bugs in .NET Framework, SharePoint, and the web browsers.

The first advisory released in February provides an update to the Oracle Outside In library that ships with Exchange Server. It’s technically public since Oracle released their patch back in October. Advisory ADV190006 doesn’t provide any patches, but it does provide guidance on mitigating unconstrained Active Directory delegations. Active Directory administrators with multiple forests should definitely review the guidance carefully. Finally, the fourth new advisory for this month is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on March 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!