Microsoft changes DHCP to 'Dammit! Hacked! Compromised! Pwned!' Big bunch of security fixes land for Windows
DHCP client has trio of remote-code exec vulns – plus SAP, Adobe issue updates
Patch Tuesday It's the second Tuesday of the month, and you know what that means: a fresh dump of security fixes from Microsoft, Adobe and others.
The March edition of Patch Tuesday includes fixes for 64 CVE-listed vulnerabilities, while Adobe addressed a pair of bugs in Photoshop and Digital Editions. Even SAP has got in on the game.
You should review the updates, test them if necessary or able to, and install them as soon as possible, to avoid running into miscreants exploiting them to compromise computers.
DHCP flaws headline Patch Tuesday priorities
Of the 64 bugs squashed in Redmond's March update, researchers are pointing to five particular bugs as being especially noteworthy.
First, there are the trio of CVE-2019-0697, CVE-2019-0698, and CVE-2019-0726, all covering holes present in the DHCP server component for Windows. Each of the flaws would potentially allow an attacker on the local network to achieve remote code execution on a targeted machine simply by sending a malformed DHCP network packet.
"These bugs are particularly impactful since they require no user interaction – an attacker sends a specially crafted response to a client – and every OS has a DHCP client," explained Dustin Childs of the Trend Micro Zero Day Initiative.
"There would likely need to be a man-in-the-middle component to properly execute an attack, but a successful exploit would have wide-ranging consequences."
There's no indication that the DHCP flaws being exploited in the wild but two other patches in this month's bundle are already being used by online criminals. CVE-2019-0797 and CVE-2019-0808 are a pair of elevation of privilege flaws that have been detected in active use.
Childs also recommends admins make sure to test and install CVE-2019-0603, a remote code execution flaw in WDS TFTP server, and CVE-2019-0757, a package tampering flaw in NuGet.
Four of the flaws, CVE-2019-0683, CVE-2019-0754, CVE-2019-0757, and CVE-2019-0809, had already been publicly exposed. Only CVE-2019-0809, an input validation flaw in Visual Studio C++, would allow for remote code execution and should be tackled as soon as possible.
As is usually the case, Microsoft's browser scripting engines accounted for the lion's share of the critical fixes. The scripting engines in Edge, Internet Explorer, and VBScript (also used for ActiveX extensions in IE and Office) each received patches for vulnerabilities that would allow remote code execution simply by convincing the mark to visit a poisoned web page or open an Office Doc.
Devs and admins using Windows Subsystem for Linux will want to pay attention to CVE-2019-0682, CVE-2019-0689, CVE-2019-0692, CVE-2019-0693, CVE-2019-0694, five elevation of privilege flaws that could be exploited through poisoned applications.
Adobe touches up Photoshop, Digital Editions
Just two updates were kicked out from Adobe today, covering only one flaw. The problem is it appears in two separate apps..
For Photoshop CC on Windows and MacOS, the update will close up CVE-2019-7095, a heap corruption bug that would allow for arbitrary code execution on a vulnerable machine.
The same flaw is also present in Digital Editions, prompting Adobe to update that suite as well.
SAP stands for Significantly Annoying Pwnage
Those admins running SAP software are going to have a bit more to deal with today, as the enterprise computing giant dropped 15 of its own security notes.
Just two of those, an XML External Entity bug in HANA Extended Application Services and a cross-site scripting flaw in NetWeaver Java Application Server, were serious enough to warrant 'high' severity ratings but the rest should be fixed as soon as possible. ®