Microsoft Patch Tuesday — January 2019: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Jet Database Engine, Office SharePoint and the Chakra Scripting Engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed seven critical vulnerabilities this month, which we will highlight below.

CVE-2019-0550 and CVE-2019-0551 are remote code execution vulnerabilities in Windows Hyper-V, a native hypervisor that can create virtual machines. These bugs exist due to the way a host server fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

CVE-2019-0539, CVE-2019-0567 and CVE-2019-0568 are memory corruption vulnerabilities in the way the Chakra Scripting Engine handles objects in memory on the Microsoft Edge web browser. An attacker could corrupt memory in a way that would allow them to execute code in the context of the current user. In order to trigger this vulnerability, a user would have to visit a specially crafted, malicious web page in Edge.

CVE-2019-0547 is a memory corruption vulnerability in the Windows DHCP client that exists when an attacker sends specially crafted DHCP responses to a client. An attacker could gain the ability to run arbitrary code on the client machine if they successfully exploit this vulnerability.

CVE-2019-0565 is a memory corruption vulnerability in Microsoft Edge that occurs when the web browser improperly handles objects in memory. An attacker could corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user would trigger this vulnerability if they visited a specially crafted, malicious web page in Edge.

Important vulnerabilities

This release also contains 40 important vulnerabilities, four of which we will highlight below.

CVE-2019-0555 is an escalation of privilege vulnerability in the Microsoft XmlDocument class that could allow an attacker to escape the AppContainer sandbox. An attacker could exploit this flaw to gain elevated privileges and break out of the Microsoft Edge AppContainer sandbox. While this vulnerability does not allow arbitrary code to run explicitly, it could be combined with other vulnerabilities to take advantage fo the elevated privileges while running.

CVE-2019-0572, CVE-2019-0573 and CVE-2019-0574 are elevation of privilege vulnerabilities in Windows Data Sharing that lie in the way the service improperly handles file operations. An attacker could exploit this vulnerability by running a specially crafted application to gain the ability to run processes in an elevated context.

• CVE-2019-0536
• CVE-2019-0537
• CVE-2019-0538
• CVE-2019-0541
• CVE-2019-0542
• CVE-2019-0543
• CVE-2019-0545
• CVE-2019-0548
• CVE-2019-0549
• CVE-2019-0552
• CVE-2019-0553
• CVE-2019-0554
• CVE-2019-0556
• CVE-2019-0557
• CVE-2019-0558
• CVE-2019-0559
• CVE-2019-0560
• CVE-2019-0561
• CVE-2019-0562
• CVE-2019-0564
• CVE-2019-0566
• CVE-2019-0569
• CVE-2019-0570
• CVE-2019-0571
• CVE-2019-0575
• CVE-2019-0576
• CVE-2019-0577
• CVE-2019-0578
• CVE-2019-0579
• CVE-2019-0580
• CVE-2019-0581
• CVE-2019-0582
• CVE-2019-0583
• CVE-2019-0584
• CVE-2019-0585
• CVE-2019-0586
• CVE-2019-0588

Moderate

The only moderate vulnerability in this release is CVE-2019-0546, a remote code execution vulnerability in Microsoft Visual Studio.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 48768 - 48770, 48773 - 48780, 48783, 48787 - 48790, 48793 - 48795, 48798, 48807 - 48810, 48876