Security Experts:

Microsoft Patches Critical Flaws in Edge, Hyper-V, DHCP

Microsoft has fixed nearly 50 vulnerabilities with its Patch Tuesday updates for January 2019, including some critical flaws affecting Edge, Hyper-V and DHCP. None of the vulnerabilities patched this month appear to have been exploited, but one of them has been publicly disclosed.

The publicly disclosed flaw, tracked as CVE-2019-0579 and rated “important,” affects the Windows Jet database engine. It can be exploited by a remote attacker to execute code on a targeted system by getting a user to open a specially crafted file.

Microsoft has credited researchers from ACROS’s 0patch, Palo Alto Networks, and Flexera for reporting the vulnerability.

It’s possible that the flaw is related to CVE-2018-8423, a Jet database engine issue which Microsoft patched in October, after the details of the security hole were disclosed in the previous month by Trend Micro’s ZDI. 0patch provided two micro-patches for the vulnerability – one when there was no fix from Microsoft, and one a few weeks later after it was determined that the tech giant’s patch was incomplete.

ACROS CEO Mitja Kolsek told SecurityWeek that they will be conducting tests to confirm it, but he believes CVE-2019-0579 is most likely the result of an incomplete patch for CVE-2018-8423.

This month’s Patch Tuesday updates also address four critical vulnerabilities affecting Edge. They are all memory corruption bugs, mostly related to the Chakra scripting engine, and they all allow arbitrary code execution in the context of the current user.

Another critical flaw, CVE-2019-0547, allows an attacker to execute arbitrary code on a Windows DHCP client machine by sending it specially crafted DHCP responses.

The last two critical vulnerabilities resolved this month are CVE-2019-0551 and CVE-2019-0550, which allow remote code execution on Hyper-V host operating systems.

One of this month’s advisories details an information disclosure and privilege escalation vulnerability affecting Skype for Android. Details of the flaw were disclosed recently by a researcher who showed how the weakness can be exploited to view photos and contacts, and even open links in a phone’s web browser. This vulnerability has only been rated “moderate” by Microsoft, likely due to the fact that exploitation requires physical access to the targeted device.

One of the Office vulnerabilities patched this month is CVE-2019-0560, which allows an attacker to obtain information from the memory that can later be used to compromise a device or data. Exploitation requires the targeted user to open a specially crafted document.

The vulnerability was reported to Microsoft by Mimecast, which has published an advisory and a blog post detailing its findings. The company discovered that Office files with ActiveX controls were consistently causing memory leaks.

“In fact, this memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information,” Mimecast said. “The Mimecast team has evidence of this leak in documents dating years back. Some documents were even found online containing sensitive user information.”

Adobe also released security updates on Tuesday, but only to resolve two “important” vulnerabilities in Connect and Digital Editions.

UPDATE. Kolsek has confirmed for SecurityWeek that CVE-2019-0579 is a new CVE identifier assigned by Microsoft after the patch for CVE-2018-8423 was found to be incomplete.

Related: Google Finds Internet Explorer Zero-Day Exploited in Targeted Attacks

Related: Windows Zero-Day Exploited by New 'SandCat' Group

Related: Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.