Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player.
This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.
Critical vulnerabilities
Microsoft disclosed 16 critical vulnerabilities this month, four of which we will highlight below.CVE-2019-0753 is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.
CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793 and CVE-2019-0795 are all remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user’s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML.
The other critical vulnerabilities are:
- CVE-2019-0739
- CVE-2019-0786
- CVE-2019-0806
- CVE-2019-0810
- CVE-2019-0812
- CVE-2019-0829
- CVE-2019-0845
- CVE-2019-0853
- CVE-2019-0860
- CVE-2019-0861
Important vulnerabilities
This release also contains 58 important vulnerabilities, eight of which we will highlight below.CVE-2019-0732 is a feature bypass vulnerability in several versions of the Windows operating system that could allow an attacker to bypass Windows Device Guard. This bug exists because Windows improperly handles calls to the LUAFV driver. An attacker could exploit this vulnerability by accessing the local machine and then running a malicious program, giving them the ability to evade a User Mode Code Integrity policy on the machine.
CVE-2019-0752 is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.
CVE-2019-0790 and CVE-2019-0795 are remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user’s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML.
CVE-2019-0801 is a remote code execution vulnerability in Microsoft Office that arises when the software attempts to open PowerPoint or Excel files. An attacker could exploit this bug by tricking the user into clicking on a specially crafted URL file that points to an Excel or PowerPoint file, causing the file to download.
CVE-2019-0803 and CVE-2019-0859 are elevation of privilege vulnerabilities in some versions of Windows that exist when the Win32k component improperly handles objects in memory. If exploited, an attacker could gain the ability to run arbitrary code in kernel mode. An attacker could exploit this bug by logging onto the system and then running a specially crafted application.
CVE-2019-0822 is a remote code execution vulnerability that exists in the way Microsoft Graphics Components handles objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, eventually allowing them to execute arbitrary code in the context of the current user.
The other important vulnerabilities are:
- CVE-2019-0685
- CVE-2019-0688
- CVE-2019-0730
- CVE-2019-0731
- CVE-2019-0735
- CVE-2019-0764
- CVE-2019-0794
- CVE-2019-0796
- CVE-2019-0802
- CVE-2019-0805
- CVE-2019-0814
- CVE-2019-0815
- CVE-2019-0817
- CVE-2019-0823
- CVE-2019-0824
- CVE-2019-0825
- CVE-2019-0826
- CVE-2019-0827
- CVE-2019-0828
- CVE-2019-0830
- CVE-2019-0831
- CVE-2019-0833
- CVE-2019-0835
- CVE-2019-0836
- CVE-2019-0837
- CVE-2019-0838
- CVE-2019-0839
- CVE-2019-0840
- CVE-2019-0841
- CVE-2019-0842
- CVE-2019-0844
- CVE-2019-0846
- CVE-2019-0847
- CVE-2019-0848
- CVE-2019-0849
- CVE-2019-0851
- CVE-2019-0856
- CVE-2019-0857
- CVE-2019-0858
- CVE-2019-0862
- CVE-2019-0866
- CVE-2019-0867
- CVE-2019-0868
- CVE-2019-0869
- CVE-2019-0870
- CVE-2019-0871
- CVE-2019-0874
- CVE-2019-0876
- CVE-2019-0877
- CVE-2019-0875
- CVE-2019-0879
- CVE-2019-0813
Coverage
In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.Snort rules: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755