March’s Patch Tuesday Fixes Privilege Escalation Vulnerabilities Exploited in the Wild

Malware Analysis
1

Microsoft’s Patch Tuesday for March addressed 64 vulnerabilities, 17 of which were rated critical, 45 important, one moderate, and another low in severity. Two of these vulnerabilities, CVE-2019-0797 and CVE-2019-0808, were reported to have been actively exploited in the wild. The patches addressed security flaws in a number of Microsoft products and services: .NET Framework, Edge, Exchange, Internet Explorer, Office, Office Services and Web Apps, NuGet, Team Foundation Server, and Windows. Seven of the vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI).

Meanwhile, Adobe released updates fixing three security issues in the web application development platform ColdFusion (APSB19-14), Photoshop CC (APSB19-15), and Digital Editions (APSB19-16). The vulnerability in ColdFusion versions 11, 2016, and 2018 — designated as CVE-2019-7816 — is a critical arbitrary code execution flaw that was reportedly being exploited in the wild. If successfully exploited, it could enable hackers to bypass restrictions for uploading files to a vulnerable server. Malicious code can then be uploaded and executed via HTTP request. Adobe’s security bulletin provides additional recommendations that can mitigate attacks that exploit CVE-2019-7816.

The security flaw in Photoshop (CVE-2019-7094), disclosed via ZDI, is a heap corruption vulnerability that can enable hackers to execute arbitrary code by sending users a maliciously crafted file. CVE-2019-7094 affects Photoshop CC 19.1.7, 20.0.2, and earlier versions in both Windows and macOS. The vulnerability in Digital Editions (CVE-2019-7095), a heap overflow issue, works in a similar way to CVE-2019-7094.

Notable vulnerabilities addressed by Microsoft this month include:

  • CVE-2019-0797, CVE-2019-0808. Privilege escalation vulnerabilities in Windows’ Win32k component that, when successfully exploited, can let hackers run arbitrary code in kernel mode, where the operating system’s core components are run. Reported by Kaspersky and Google Threat Analysis Group, respectively, these flaws were said to have been actively exploited in the wild. An exploit for CVE-2019-0808, in particular, was being chained with another then-zero-day vulnerability in Google Chrome (CVE-2019-5786) in attacks targeting Windows 7 use
  • CVE-2019-0697, CVE-2019-0698, CVE-2019-0726. Memory corruption vulnerabilities in Windows’ dynamic host configuration protocol (DHCP) client, which is used to obtain configuration information such as IP addresses. While there are no indications that these flaws are actively exploited, what’s significant in these vulnerabilities is that they don’t require user interaction. An attacker can send a malformed DHCP response/network packet to a client/host that exploits the vulnerabilities, leaving the targeted system susceptible to remote code execution (RCE).

The Trend Micro™ Deep Security™  and Vulnerability Protection solutions protect user systems from threats that may target the vulnerabilities addressed in this month’s Patch Tuesday via the following Deep Packet Inspection (DPI) rules:

  • 1009535 — Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)
  • 1009475 — Microsoft Windows Data Sharing Service Elevation of Privilege Vulnerability (CVE-2019-0571)
  • 1009563 — Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-0665)
  • 1009564 — Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2019-0769)
  • 1009565 — Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2019-0770)
  • 1009566 — Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2019-0771)
  • 1009567 — Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2019-0773)
  • 1009568 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2019-0763)
  • 1009569 — Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0680)
  • 1009570 — Microsoft Internet Explorer Security Feature Bypass Vulnerability (CVE-2019-0768)
  • 1009571 — Microsoft Windows Multiple Information Disclosure Vulnerabilities (CVE-2019-0755, CVE-2019-0767, CVE-2019-0775)
  • 1009573 — Microsoft Edge Security Feature Bypass Vulnerability (CVE-2019-0612)
  • 1009574 — Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2019-0639)
  • 1009575 — Microsoft Internet Explorer and Edge Scripting Engine Memory Corruption Vulnerability (CVE-2019-0609)
  • 1009576 — Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2019-0666)
  • 1009577 — Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0592)
  • 1009578 — Microsoft Internet Explorer VBScript Engine Remote Code Execution Vulnerability (CVE-2019-0667)
  • 1009579 — Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2019-0703)
  • 1009582 — Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2019-0808)
  • 1009583 — Microsoft Windows Win32k Elevation Of Privilege Vulnerability (CVE-2019-0797)

The Trend Micro™ TippingPoint® solution protects customers from threats that may exploit the aforementioned vulnerabilities via these MainlineDV filters:

  • 34687: HTTP: Microsoft Edge DataView Out-of-Bounds Write Vulnerability
  • 34688: HTTP: Microsoft Edge Use-After-Free Vulnerability
  • 34689: HTTP: Microsoft Edge adoptNode Security Feature Bypass Vulnerability
  • 34690: HTTP: Microsoft Edge prototype Type Confusion Vulnerability
  • 34691: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
  • 34692: HTTP: Microsoft Internet Explorer RegExp Buffer Overflow Vulnerability
  • 34693: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
  • 34694: HTTP: Microsoft Internet Explorer Worker Use-After-Free Vulnerability
  • 34695: SMB: Microsoft Windows Information Disclosure Vulnerability
  • 34696: HTTP: Microsoft Windows Kernel Information Disclosure Vulnerability
  • 34697: HTTP: Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
  • 34698: HTTP: Microsoft Windows Information Disclosure Vulnerability
  • 34699: HTTP: Microsoft Internet Explorer MSHTML Security Bypass Vulnerability
  • 34700: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 34701: HTTP: Microsoft Edge Memory Corruption Vulnerability
  • 34702: HTTP: Microsoft Edge Chakra initProto Memory Corruption Vulnerability
  • 34703: HTTP: Microsoft Edge JIT Type Confusion Vulnerability
  • 34704: HTTP: Microsoft Windows Information Disclosure Vulnerability
  • 34776: HTTP: Adobe ColdFusion Suspicious Multipart File Upload
  • 34777: HTTP: Microsoft Windows Win32k Privilege Escalation Vulnerability
  • 34779: HTTP: Adobe ColdFusion Suspicious File Upload

The post March’s Patch Tuesday Fixes Privilege Escalation Vulnerabilities Exploited in the Wild appeared first on .

Article Link: http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/8qmtYF2hSK4/