Microsoft Fixes Another Two Zero Days in Patch Avalanche
Microsoft maintained the pressure on system administrators this month by releasing fixes for over 70 vulnerabilities in its products, two of which are classed as zero-day flaws.
The 15 updates released by Redmond cover 74 unique CVEs in Windows, Internet Explorer, Edge, Office, SharePoint and Exchange.
Just like last month, two of them are being actively exploited in the wild and should be prioritized.
“Elevation of privilege vulnerabilities are important to address because they are often part of the second phase of an attack where the attacker attempts to gain control of the victim’s machine,” explained Recorded Future senior solutions architect, Allan Liska.
“Two of these vulnerabilities, CVE-2019-0803 and CVE-2019-0859, are both being exploited in the wild. Both of these privilege escalation vulnerabilities reside in the Win32k component, which exists on all versions of Windows.”
He added that the risk for IT teams is to only focus on the most severe vulnerabilities, leaving systems exposed via others which fall down the priority list.
These include MSXML remote code execution vulnerabilities CVE-2019-0790 to CVE-2019-0794, which affect Windows 7, 8 and 10 and Windows Server 2008, 2012, 2016 and 2019.
“Proof of Concept exploit code for a similar vulnerability, CVE-2018-8420, was released earlier this year on a Russian underground forum,” explained Liska.
“While we have not seen evidence that this code was used in active exploits, it being shared shows current interest in this type of exploit among criminals, elevating the chance that attackers will want to exploit these vulnerabilities quickly; this also means that patching these should be a high priority, especially given the wide range of Windows systems they impact.”
As if that weren’t enough, there was also plenty from Adobe for sysadmins to digest on Tuesday.
The firm released seven updates fixing 43 CVEs in products such as Adobe Reader, Acrobat, AIR, Flash and Shockwave.
The latter has reached end-of-life so there are no updates for its seven critical flaws, according to Ivanti director of product management, security, Chris Goettl.
“Remove Shockwave from your environment. Its seven vulnerabilities are going to leave the majority of Shockwave installs exposed. You can bet an exploit is imminent there,” he argued.
“Wireshark also released three updates resolving 10 CVEs. Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment. Ensure it gets updated or removed where it is no longer needed.”
Source: Information Security Magazine