By Jon Munshaw.
Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical.
This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.
Critical vulnerabilities Microsoft disclosed two critical vulnerabilities this month, both of which we will highlight below.
CVE-2019-1468 is a remote code execution vulnerability in the Windows font library that exists due to the library improperly handling some embedded fonts. An attacker could exploit this bug by using a specially crafted, malicious embedded font on a web page, and then trick the user into visiting that web page. Alternatively, a user would need to open a specially crafted font file on their machine.
CVE-2019-1471 is a remote code execution vulnerability in the Hyper-V hypervisor. Hyper-V can sometimes fail to properly validate input from an authenticated user on a guest operating system. An attacker could exploit this vulnerability by running a specially crafted application on a guest OS, which would cause the Hyper-V host OS to execute arbitrary code on the host operating system.
Important vulnerabilities This release also contains 23 important vulnerabilities, three of which we will highlight below.
CVE-2019-1458 is an elevation of privilege vulnerability in Windows' Win32k component. An attacker could exploit this vulnerability by logging onto a system, then running a specially crafted application that would allow them to take complete control of the system and execute arbitrary code in kernel mode. Microsoft reports that this vulnerability has been used in the wild.
CVE-2019-1469 is an information disclosure vulnerability in Windows that arises when the win32k component fails to provide kernel information. An attacker could exploit this vulnerability to obtain uninitialized memory and kernel memory, which could then be used in additional attacks.
CVE-2019-1485 is a remote code execution vulnerability in the VBscript engine. An attacker could exploit this vulnerability to corrupt memory of the affected system in a way that would allow them to execute arbitrary code in the context of the current user. To trigger this vulnerability, a user would have to visit a malicious, specially crafted website in the Internet Explorer web browser. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that utilizes Internet Explorer's rendering engine, and then trick the user into opening that file.
The other important vulnerabilities are:
- CVE-2019-1332
- CVE-2019-1400
- CVE-2019-1453
- CVE-2019-1461
- CVE-2019-1462
- CVE-2019-1463
- CVE-2019-1464
- CVE-2019-1465
- CVE-2019-1466
- CVE-2019-1467
- CVE-2019-1470
- CVE-2019-1472
- CVE-2019-1474
- CVE-2019-1476
- CVE-2019-1477
- CVE-2019-1478
- CVE-2019-1480
- CVE-2019-1481
- CVE-2019-1483
- CVE-2019-1484
Coverage In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.
These rules are: 52402, 52403, 52410, 52411, 52419, 52420