As March Patch Tuesday landed I happened to be in a room full of IT Admins talking about best practices for patch management. One of those best practices happened to be around ensuring you have good sources of data. While it looks like this month will not be an issue, in past months we have seen vulnerabilities that were only rated as Important but were actively being exploited. Our guidance to Ivanti customers is to not rely solely on vendor severity or even CVSS score as your only triggers for what should be deployed to your environment. Exploited, publicly disclosed, and user targeted vulnerabilities should also be taken into account.
For the month of March there are 64 unique CVEs resolved by Microsoft. Two of these have been detected in active exploits and four have been publicly disclosed meaning enough information has been made publicly available to give threat actors a jumpstart on developing exploits for them.
The Microsoft updates affect the Windows OS, Internet Explorer and Edge, Office (O365 appears to be non-security this month) and Sharepoint. It looks like we have broken the streak of .Net and Exchange updates we had seen for the past several months making it a lighter patch Tuesday, but still one with a bit of urgency and that urgency is around the OS and IE updates. Here is a breakdown of the Zero Day and publicly disclosed vulnerabilities.
- Win32k Elevation of Privilege Vulnerability (CVE-2019-0797) exists in Windows allowing an attacker to run arbitrary code in kernel mode. This CVE affects Windows 8.1, 10, Server 2012, 2012 R2 and the Server 1709, 1803, 2016 and 2019 editions. The vulnerability is only rated as Important likely due to the attacker first having to log on to the system, but the vulnerability has been detected in attacks in the wild. This relates to the Google Chrome CVE-2019-5786 that took advantage of this OS vulnerability to evade security sandbox meant to keep browser sessions from interacting with the OS.
- Win32k Elevation of Privilege Vulnerability (CVE-2019-0808) exists in Windows allowing an attacker to run arbitrary code in kernel mode. This CVE affects Windows 7, Server 2008, and 2008 R2 editions. The vulnerability is only rated as Important likely due to the attacker first having to log on to the system, but the vulnerability has been detected in attacks in the wild. This relates to the Google Chrome CVE-2019-5786 that took advantage of this OS vulnerability to evade security sandbox meant to keep browser sessions from interacting with the OS.
- Visual Studio Remote Code Execution Vulnerability (CVE-2019-0809) exists in Visual Studio C++ Redistributable Installer and could allow remote code execution a malicious DLL is introduced on the local system and a user is convinced to execute the program executable.
- Active Directory Elevation of Privilege Vulnerability (CVE-2019-0683) exists in Active Directory Forest due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.
- NuGet Package Manager Tampering Vulnerability (CVE-2019-0757) exists in NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify a NuGet package to modify files and folders that are unpackaged on a system. The attacker would need to logon to the affected system and tamper with the folder contents of the package prior to building or installation of an application.
- Windows Denial of Service Vulnerability (CVE-2019-0754) exists in Windows that could allow an attacker to cause the system to stop responding. The attacker would have to log on to the affected system and run a specially crafted file to exploit the vulnerability.
On the non-Microsoft front there is an Adobe Flash update, but without any security vulnerabilities. Google Chrome dropped late in the day resolving 60 vulnerabilities. This combined with the Zero Day vulnerability (CVE-2019-5786) resolved on March 1st should put Chrome on the priority list this month.
Our guidance for this month is to get the Windows OS and IE updates applied as a top priority and make sure your Google Chrome update from last week is also applied as soon as possible. This will plug the three zero-day CVEs regarding the Win32k.sys Elevation of Privilege vulnerabilities being exploited in the wild and plug two of the publicly disclosed vulnerabilities.
About the Author
Chris Goettl, director of product management, security, for Ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media.