Microsoft patched 77 vulnerabilities yesterday including two zero-day flaws, one of which was being used in a targeted attack bearing the hallmarks of Russian state hackers.
The monthly update round saw Redmond fix privilege escalation vulnerabilities CVE-2019-0880 and CVE-2019-1132.
The latter was discovered by ESET researchers as part of a targeted attack in eastern Europe, using techniques similar to the infamous Kremlin group APT28 (aka Fancy Bear, Sednit).
“For example, the Sednit group’s local privilege escalation exploit we analyzed in 2017 used menu objects and exploitation techniques, which are very similar to the current exploit,” ESET researcher Anton Cherepanov explained.
Although, like the other zero-day, it requires an attacker to first establish a presence on an infected system, it could enable full system access when chained with other flaws.
CVE-2019-0880 is an elevation of privilege vulnerability in splwow64.exe.
“According to the advisory, the vulnerability could be combined with a remote code execution or a separate elevation of privilege vulnerability to gain arbitrary code execution,” explained Tenable senior research engineer, Satnam Narang. “Because it was exploited in the wild, it is likely it was paired with another vulnerability, but those details are not currently available.”
Those two zero-days were rated important. However, there are 15 classed as critical and a further four flaws which had been publicly disclosed in advance, potentially allowing black hats to work on exploits.
“One of the most critical vulnerabilities this month is present in Microsoft DHCP Server (CVE-2019-0785). This memory corruption vulnerability affects all versions of Windows Server from 2012 - 2019 and it is remotely exploitable,” argued Recorded Future senior solutions architect, Allan Liska.
“It allows an attacker to send a specially crafted packet to a DHCP server and, if successful in exploitation, execute arbitrary code. While this is a critical vulnerability, with a CVSS Score of 9.8, a very similar vulnerability, CVE-2019-0725, was announced in May. To date, Recorded Future has not seen any evidence of attackers exploiting this vulnerability in the wild. That does not mean organizations should not prioritize patching this vulnerability.”
Others highlighted by Liska included: RDS remote code execution (RCE) flaw CVE-2019-0887, which affects all versions of Windows from Windows 7-10 and Windows Server 2008-2019; memory corruption bug CVE-2019-1001 which affects Microsoft ChakraCore Scripting Engine, Internet Explorer 11, and Microsoft Edge; and an RCE flaw (CVE-2019-1072) in Azure DevOps Server and Team Foundation Server (TFS).