Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Flaws in Edge, Hyper-V, DHCP

Microsoft has fixed nearly 50 vulnerabilities with its Patch Tuesday updates for January 2019, including some critical flaws affecting Edge, Hyper-V and DHCP. None of the vulnerabilities patched this month appear to have been exploited, but one of them has been publicly disclosed.

Microsoft has fixed nearly 50 vulnerabilities with its Patch Tuesday updates for January 2019, including some critical flaws affecting Edge, Hyper-V and DHCP. None of the vulnerabilities patched this month appear to have been exploited, but one of them has been publicly disclosed.

The publicly disclosed flaw, tracked as CVE-2019-0579 and rated “important,” affects the Windows Jet database engine. It can be exploited by a remote attacker to execute code on a targeted system by getting a user to open a specially crafted file.

Microsoft has credited researchers from ACROS’s 0patch, Palo Alto Networks, and Flexera for reporting the vulnerability.

It’s possible that the flaw is related to CVE-2018-8423, a Jet database engine issue which Microsoft patched in October, after the details of the security hole were disclosed in the previous month by Trend Micro’s ZDI. 0patch provided two micro-patches for the vulnerability – one when there was no fix from Microsoft, and one a few weeks later after it was determined that the tech giant’s patch was incomplete.

ACROS CEO Mitja Kolsek told SecurityWeek that they will be conducting tests to confirm it, but he believes CVE-2019-0579 is most likely the result of an incomplete patch for CVE-2018-8423.

This month’s Patch Tuesday updates also address four critical vulnerabilities affecting Edge. They are all memory corruption bugs, mostly related to the Chakra scripting engine, and they all allow arbitrary code execution in the context of the current user.

Another critical flaw, CVE-2019-0547, allows an attacker to execute arbitrary code on a Windows DHCP client machine by sending it specially crafted DHCP responses.

The last two critical vulnerabilities resolved this month are CVE-2019-0551 and CVE-2019-0550, which allow remote code execution on Hyper-V host operating systems.

Advertisement. Scroll to continue reading.

One of this month’s advisories details an information disclosure and privilege escalation vulnerability affecting Skype for Android. Details of the flaw were disclosed recently by a researcher who showed how the weakness can be exploited to view photos and contacts, and even open links in a phone’s web browser. This vulnerability has only been rated “moderate” by Microsoft, likely due to the fact that exploitation requires physical access to the targeted device.

One of the Office vulnerabilities patched this month is CVE-2019-0560, which allows an attacker to obtain information from the memory that can later be used to compromise a device or data. Exploitation requires the targeted user to open a specially crafted document.

The vulnerability was reported to Microsoft by Mimecast, which has published an advisory and a blog post detailing its findings. The company discovered that Office files with ActiveX controls were consistently causing memory leaks.

“In fact, this memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information,” Mimecast said. “The Mimecast team has evidence of this leak in documents dating years back. Some documents were even found online containing sensitive user information.”

Adobe also released security updates on Tuesday, but only to resolve two “important” vulnerabilities in Connect and Digital Editions.

UPDATE. Kolsek has confirmed for SecurityWeek that CVE-2019-0579 is a new CVE identifier assigned by Microsoft after the patch for CVE-2018-8423 was found to be incomplete.

Related: Google Finds Internet Explorer Zero-Day Exploited in Targeted Attacks

Related: Windows Zero-Day Exploited by New ‘SandCat’ Group

Related: Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.