Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/8/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Remote Code Execution Bugs Are Primary Focus of January Patch Tuesday

This month's security update includes seven patches ranked Critical and one publicly known vulnerability.

Microsoft's first Patch Tuesday update of 2019 primarily tackles remote code execution (RCE) vulnerabilities, with nearly half of 47 total fixes focusing on RCE. Businesses are also urged to apply a December out-of-band Internet Explorer patch after active attacks in the wild.

Seven of the common vulnerabilities and exposures (CVEs) are ranked Critical in severity, 40 are Important, and two are Moderate. The patches and advisories issued today cover Internet Explorer, Microsoft Edge, Windows, Office, Office Services and Web Apps, ChakraCore, Visual Studio, and the .NET Framework.

As pointed out by Dustin Childs of Trend Micro's Zero-Day Institute in a blog post, RCE flaws make up half of CVEs addressed for January 2019. Eleven of these involve the Jet Database Engine. One (CVE-2019-0579) is publicly known and classified as Important in severity; exploiting this vulnerability could let an attacker execute arbitrary code on a victim system, Microsoft reports. This requires user interaction; a target would have to open a specially crafted file for execution.

While only rated as important, the disclosure of this vulnerability means enough information has been released to the public that an attacker could have an easier time developing exploits for the flaw, says Chris Goettl, director of product management for security at Ivanti.

Also highly prioritized is CVE-2019-0547, an RCE vulnerability in the Windows DHCP client. A memory corruption vulnerability exists in the client when an attacker sends specially crafted DHCP responses to a client, Microsoft reports. Successful exploitation would let an adversary execute arbitrary code on the client machine.

"Code execution through a widely available listening service means this is a wormable bug," Childs wrote. "Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable." He noted it's interesting this flaw is in the latest version of Windows but not previous ones, likely because the component was rewritten for newer systems, he added.

"If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list," Childs wrote.

Another Office bug (CVE-2019-0560), found by Mimecast, could enable unintended leakage of data in previously created Office documents and files. While it's tough to use it as a code execution vulnerability, it could be used to harvest data users were unintentionally exposing.

"While it is certainly possible to exploit this vulnerability to execute a remote execution attack, this would require relatively high technical expertise on behalf of the attacker," says Matthew Gardiner, security strategist at Mimecast.

"What is more concerning in the immediate time frame is the potential for previously created Office files to have sensitive content in them without the knowledge of the organization or user that created them," he explains.

Much of the discussion this month revolves around CVE-2018-8653, an out-of-band patch Microsoft issued for an Internet Explorer memory corruption vulnerability in December 2018. The flaw could corrupt memory in such a way that someone could execute arbitrary code in the context of the current user, says Microsoft, and an attacker could gain the same user's rights.

"That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms," says Allan Liska, senior solutions architect at Recorded Future. "If you have not patched this vulnerability yet, it should be the No. 1 priority."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.