The February 2019 Security Update Review

February 12, 2019 | Dustin Childs

February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for February 2019

For this month, Adobe released updates for Acrobat and Reader, Flash, Cold Fusion, and the Adobe Creative Cloud Desktop Application. The Critical-rated Acrobat and Reader update addresses 71 CVEs, 17 of which came through the ZDI program. One of these CVEs, CVE 2019-7089, was publicly known at the time of release. The worst of the bugs fixed could allow an attacker to execute their own code on a target system. The patch for Cold Fusion is also Critical but only addresses two CVEs. The worst of these bugs could allow code execution through the deserialization of untrusted data.

The update for Flash is also rated Important and fixes only one CVE, which was submitted anonymously through the ZDI program. This bug allows an info disclosure through and out-of-bounds read on affected systems. The patch for the Creative Cloud Desktop Application also fixes one Important severity CVE. A DLL hijacking bug is corrected by the patch. None of these bugs are known to be under active attack at the time of release.

Microsoft Patches for February 2019

For February, Microsoft released security patches for 77 CVEs along with three new advisories. The patches cover Internet Explorer (IE), Edge, Exchange Server, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services and the .NET Framework. Of these 74 CVEs, 20 are rated Critical, 54 are rated Important, and three are rated Moderate in severity. A total of 21 of these CVEs came through the ZDI program. Four of these bugs are listed as public and one is listed as being under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with a publicly disclosed Exchange bug: 

-       CVE-2019-0686 – Microsoft Exchange Server Elevation of Privilege Vulnerability
This is one of the publicly known bugs for this month and was the subject of the ADV190007 advisory. It corrects an elevation of privilege in Exchange that allows an attack to relay NTLM credentials and take over and the server. The bug was initially disclosed via a blog post from a Fox-IT researcher. It pivots off a previous bug reported through the ZDI program that was addressed via a registry key rather than a patch. This topic has been widely discussed over the past few weeks, so it would not be surprising to see active attacks using this bug. Definitely view this as one of your high priority patches to test and deploy this month.

-       CVE-2019-0626 – Windows DHCP Server Remote Code Execution Vulnerability
If you have a DHCP server on your network, and chances are you do, this patch should be at the top of you lists. The bug allows attackers to take over your DHCP server just by sending it a specially crafted packet. Code execution through a network service that executes with high privileges definitely put this in the wormable category, although it would only be wormable to other DHCP servers. While the Exploit Index (XI) rating for this is lower, there’s no reason to pass on installing this patch once you’ve tested it.

-       CVE-2019-0594, CVE-2019-0604 – Microsoft SharePoint Remote Code Execution Vulnerability
SharePoint bugs don’t tend to be Critical, but these two certainly meet the requirements. An attacker code upload a specially crafted SharePoint application package to execute their code in the context of the SharePoint application pool and the SharePoint server farm account. Splitting websites over application pools generally allows for more rigid security between the sites. These bugs would negate that advantage.

-       CVE-2019-0676 – Internet Explorer Information Disclosure Vulnerability
This patch corrects the one bug listed as under active attack for February. An attacker could use this to check for files on a target system if a user browses to a specially crafted website. Microsoft doesn’t list how this bug is being exploited in the wild, but it’s likely restricted to targeted attacks. Considering Microsoft now lists IE as “a compatibility solution” rather than a browser, now is a good time to figure out your upgrade strategy.

Here’s the full list of CVEs released by Microsoft for February 2019.

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2019-0676 Internet Explorer Information Disclosure Vulnerability Important No Yes 1 1 Info
CVE-2019-0636 Windows Information Disclosure Vulnerability Important Yes No 1 1 Info
CVE-2019-0686 Microsoft Exchange Server Elevation of Privilege Vulnerability Important Yes No 1 1 EoP
CVE-2019-0646 Team Foundation Server Cross-site Scripting Vulnerability Important Yes No 2 N/A XSS
CVE-2019-0647 Team Foundation Server Information Disclosure Vulnerability Important Yes No 2 2 Info
CVE-2019-0590 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0591 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0593 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0594 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0605 Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0606 Internet Explorer Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0607 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0618 GDI+ Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0626 Windows DHCP Server Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0634 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0640 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0642 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0644 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0645 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0650 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0651 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0652 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0655 Scripting Engine Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0662 GDI+ Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0540 Microsoft Office Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2019-0595 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0596 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0597 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0598 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0599 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0600 HID Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0601 HID Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0602 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0610 Scripting Engine Memory Corruption Vulnerability Important No No 1 N/A RCE
CVE-2019-0613 .NET Framework and Visual Studio Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0615 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0616 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0619 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0621 Windows Kernel Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0623 Win32k Elevation of Privilege Vulnerability Important No No N/A 2 EoP
CVE-2019-0625 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0627 Windows Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2019-0628 Win32k Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0630 Windows SMB Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2019-0631 Windows Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2019-0632 Windows Security Feature Bypass Vulnerability Important No No 1 1 SFB
CVE-2019-0633 Windows SMB Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2019-0635 Windows Hyper-V Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0637 Windows Defender Firewall Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-0648 Scripting Engine Information Disclosure Vulnerability Important No No 1 N/A Info
CVE-2019-0649 Scripting Engine Elevation of Privileged Vulnerability Important No No 2 N/A EoP
CVE-2019-0654 Microsoft Browser Spoofing Vulnerability Important No No 1 1 Spoof
CVE-2019-0656 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 N/A EoP
CVE-2019-0657 .NET Framework and Visual Studio Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-0658 Scripting Engine Information Disclosure Vulnerability Important No No 1 N/A Info
CVE-2019-0659 Windows Storage Service Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0660 Windows GDI Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0661 Windows Kernel Information Disclosure Vulnerability Important No No N/A 1 Info
CVE-2019-0664 Windows GDI Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-0668 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0669 Microsoft Excel Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0671 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0672 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0673 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0674 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0675 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0724 Microsoft Exchange Server Elevation of Privilege Vulnerability Important No No N/A N/A EoP
CVE-2019-0728 Visual Studio Code Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0729 Azure IoT Java SDK Elevation of Privilege Vulnerability Important No No 2 N/A EoP
CVE-2019-0741 Azure IoT Java SDK Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-0742 Team Foundation Server Cross-site Scripting Vulnerability Important No No 2 2 XSS
CVE-2019-0743 Team Foundation Server Cross-site Scripting Vulnerability Important No No 2 2 XSS
CVE-2019-0624 Skype for Business 2015 Spoofing Vulnerability Important No No N/A 2 Spoof
CVE-2019-0641 Microsoft Edge Security Feature Bypass Vulnerability Moderate No No 2 N/A SFB
CVE-2019-0643 Microsoft Edge Information Disclosure Vulnerability Moderate No No 2 N/A Info
CVE-2019-0670 Microsoft SharePoint Spoofing Vulnerability Moderate No No 2 2 Spoof

Other patches for this month include another Exchange bug, which also involves relaying NTLM authentication. This one was not listed as public though. There are two Critical-rated RCE bugs in GDI+, which used to be a servicing nightmare due to the wide variety of products that included the component. Fortunately, GDI+ bugs now require only an OS patch. Rounding out the Critical bugs are 15 browse-and-own vulnerabilities affecting IE, Edge, and ChakraCore.

Remote code execution bugs continue to dominate the monthly patch release with nearly half of the bugs this month categorized as an RCE. Quite a few of these are related to the Jet Database Engine and the Access Database. There are two SMB patches that sound scary but are mitigated by the fact that the attacker would need to be authenticated first. Still, insider attacks are definitely a thing. These bugs involve SMBv2, but as a reminder, SMBv1 should be completely disabled on your enterprise by now.

There are a handful of Security Feature Bypass (SFB) bugs, including one in Edge that could allow Adobe Flash to automatically load without user interaction. The three SFBs in Windows all deal with Device Guard and bypassing the User Mode Code Integrity (UMCI) policy. Bypassing this allows attackers to run their own code on an otherwise locked down system. There’s an interesting bypass of the Windows Defender Firewall profile for cellular networks, but there’s no way to trigger the bypass remotely. It’s good to see Microsoft fix it anyway. 

There are quite a few information disclosure bugs being addressed this month. Considering how many applications run in some form of a sandbox, patching these types of bugs that leak memory contents makes sandbox escapes more difficult. The Azure IoT Java SDK gets a couple of patches to address an EoP and an info disclosure bug that involves logging sensitive data. Team Foundation Server gets a few patches to address XSS bugs and an info disclosure bug. Two of the XSS bugs are listed as publicly known but not under active attack. Finally, rounding out the release are three Spoofing bugs in .NET Framework, SharePoint, and the web browsers.

The first advisory released in February provides an update to the Oracle Outside In library that ships with Exchange Server. It’s technically public since Oracle released their patch back in October. Advisory ADV190006 doesn’t provide any patches, but it does provide guidance on mitigating unconstrained Active Directory delegations. Active Directory administrators with multiple forests should definitely review the guidance carefully. Finally, the fourth new advisory for this month is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on March 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!