Welcome back to this month’s Patch Tuesday. Microsoft has patched 76 vulnerabilities this month, including four that had details disclosed prior to patching. One “zero-day” vulnerability in Internet Explorer that was actively being exploited was also patched. The bulk of the patched vulnerabilities this month focus on web browsers.
Internet Explorer and Edge
Microsoft’s browsers received a host of fixes this month. One particularly notable vulnerability was the “zero-day” vulnerability in Internet Explorer that was actively being exploited. Google is credited for discovering that attackers were using the exploit to check for the existence of certain files on victims’ hard drives. This leak of information could further be used to compromise affected systems.
Windows DHCP Server
One of the vulnerabilities patched this month was for the Windows DHCP Server. The vulnerability would allow a remote attacker to execute code with elevated privileges against the vulnerable system. All an attacker would have to do to exploit this vulnerability is to send a maliciously crafted packet to the Windows DHCP Server over the network. Microsoft rates this vulnerability as Critical.
While Office was host to its usual round of fixes, none of its vulnerabilities were rated as Critical this month. However, attackers would be able to bypass security features, gain access to sensitive information, and execute code remotely by convincing users to open maliciously crafted files. As usual, the remote code execution would have privileges equal to the security context of the vulnerable application, encouraging users to exercise the principal of least privilege.
Adobe Flash Player
Adobe released a patch for Flash Player that, in typical fashion, Microsoft also distributes to all Windows users. Microsoft and Adobe disagree on the severity of a vulnerability this month, with Microsoft rating the vulnerability as Critical, while Adobe rates it as Important. The vulnerability would allow cyber attackers to read memory that is out of bounds.
Exchange was targeted by a previously disclosed vulnerability with proof of concept code released to the public. The flaw, CVE-2019-0686, could allow the attacker on the network of the Exchange server to access the inbox of other users. Microsoft claims that exploitation has not yet happened in the wild, but that it is likely that exploits will happen very soon. Microsoft rates this vulnerability as Critical.