[SingCERT] Alert on Critical Vulnerabilities Affecting Microsoft Products

Published on Thursday, 14 March 2019 16:27

Background

Microsoft announced the release of 64 security patches to address vulnerabilities affecting its operating system and products.

14 vulnerabilities are rated critical and require immediate attention. These are:

  • CVE-2019-0763 – The vulnerability exists when Internet Explorer improperly accesses objects in memory with the potential to corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user.
  •  CVE-2019-0680 – The vulnerability exists in the way the scripting engine handles objects in memory in Internet Explorer with the potential to corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user.
  • CVE-2019-0639 – The vulnerability exists in the way ChakraCore scripting engine handles objects in memory with the potential to corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user.
  • CVE-2019-0666, CVE-2019-0667 – These vulnerabilities exist in the way VBScript handles objects in memory with the potential to corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user.
  • CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 – These vulnerabilities exist in the way Microsoft Edge handles objects in memory with the potential to corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user.
  • CVE-2019-0603 – The vulnerability exists in the way Windows Deployment Services TFTP Server handles objects in memory. It could potentially allow an attacker to execute arbitrary code with elevated permissions on a target system.
  • CVE-2019-0784 – The vulnerability exists in the way ActiveX Data objects (ADO) handles objects in memory with the potential to corrupt memory, allowing an attacker to execute arbitrary code in the context of the current user
  • CVE-2019-0756 – The vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. It could potentially allow an attacker to remotely take control of the user’s system.
  • CVE-2019-0726, CVE-2019-0697, CVE-2019-0698 – These vulnerabilities exist in the Windows Dynamic Host Configuration Protocol (DHCP) client when an attacker sends specially crafted DHCP responses to a client. These vulnerabilities could potentially allow an attacker to run arbitrary code on the client machine.
For the full list of security updates released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance.


Affected Products

The security release contains updates for the following software:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office SharePoint
  • ChakraCore
  • Team Foundation Server
  • Skype for Business
  • Visual Studio
  • NuGet

Impact

Successful exploitation of these vulnerabilities could allow attackers to perform remote code execution, take control of the system and carry out malicious activities.

Recommendations

Users and system administrators of affected products are advised to apply the security updates immediately.

References

https://portal.msrc.microsoft.com/en-us/security-guidance

https://www.bleepingcomputer.com/news/security/microsoft-march-2019-patch-tuesday-includes-fixes-for-64-vulnerabilities/