It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on
Hefty load from Microsoft, Adobe, with special guest star Cisco
Patch Tuesday Microsoft and Adobe have teamed up to give users and sysadmins plenty of work to do this week.
The February edition of Patch Tuesday includes more than 70 CVE-listed vulnerabilities from each vendor – yes, each – as well as a critical security fix from Cisco. You should patch them as soon as it is possible.
For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE.
Among the most potentially serious was CVE-2019-0626, a remote code execution vulnerability in the Windows Server DHCP component.
While the bug won't be much of a risk to everyday PCs, admins running Windows networks will want to make this fix a top priority, says Trend Micro ZDI's Dustin Childs.
"If you have a DHCP server on your network, and chances are you do, this patch should be at the top of you lists," Childs explained.
"The bug allows attackers to take over your DHCP server just by sending it a specially crafted packet. Code execution through a network service that executes with high privileges definitely put this in the wormable category, although it would only be wormable to other DHCP servers."
Another priority should be to address the month's sole in-the-wild exploit, for CVE-2019-0676, an information disclosure flaw in Internet Explorer that would allow an attacker to check for the presence of specific files on a computer via a specially crafted webpage.
Everyone screams patch ASAP – but it takes most organizations a month to update their networksREAD MORE
This bug would be particularly useful for targeted attacks, as it would, for example, help a cybercriminal pinpoint the machine they wanted to go after within a targeted company or group.
Exploits for four other vulnerabilities, CVE-2019-0636, CVE-2019-0686, CVE-2019-0646, and CVE-2019-0647 have also been publicly disclosed, but none have been found to allow for remote code execution (RCE).
Of the 36 RCE vulnerabilities patched this month, 16 were programming blunders in Microsoft's IE and Edge browsers, either via the browsers themselves or their scripting engines. In those situations, an attacker would be able to carry out the attack by convincing the user to visit a webpage booby-trapped with exploit code.
As such, the IE and Edge updates are always a top priority for admins to test and apply as soon as possible.
Another popular RCE target, Office, was the subject of seven remote code fixes. Two (CVE-2019-0594, and CVE-2019-0604) were found in SharePoint, while another five were spotted in the Office Access Connectivity Engine. In each case, the attacker would need to convince the victim to manually open a maliciously crafted file (this is not particularly hard to do with Office Docs, which are sent back and forth between and within companies every single day).
Five further remote code execution bugs were patched for Jet Database Engine, a built-in component of Windows and Windows Server. Those vulnerabilities would also be exploited by convincing the mark to open a specially crafted file.
Adobe delivers PDF patch bonanza
Adobe has once again delivered a patch load to rival that of Microsoft, addressing 75 CVE entries of its own.
The overwhelming majority of those are the 39 arbitrary code execution vulnerabilities in Acrobat and Reader. In each case, the attacker could execute code on the target machine by convincing the user to open up a poisoned PDF file. In total, 71 of this month's patches were for vulnerabilities in Acrobat/Reader for Windows, Mac, and Linux boxes.
Flash Player is getting off easy this month, as just one CVE entry, an information disclosure bug via and out of bounds read error.
Cisco gets in on the fun with NAE fix
Companies that use Cisco's Network Access Engine (NAE) tool to manage their networks and datacenters will be well advised to look over Switchzilla's Tuesday advisory and make sure they have their software up-to-date.
The advisory explains that someone left the default password active on NAE, meaning that anyone who had local or command-line access to a vulnerable to login using the default admin credentials and take over control of the server. ®