Microsoft Patch Tuesday — March 2019: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.

This month’s security update covers security issues in a variety of Microsoft’s products, including the VBScript scripting engine, Dynamic Host Configuration Protocol and the Chakra scripting engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed 17 critical vulnerabilities this month, all of which we will highlight below.

CVE-2019-0592 is a memory corruption vulnerability in the Chakra scripting engine that could allow an attacker to elevate their privileges. The bug lies in the way that the scripting engine handles objects in memory. In order to exploit this vulnerability, an attacker would need to trick a user into visiting a specially crafted, malicious web page in the Microsoft Edge web browser.

CVE-2019-0763 is a remote code execution vulnerability that exists when the Internet Explorer web browser improperly handles objects in memory. An attacker could exploit this vulnerability by tricking a user into visiting a malicious web page while using Internet Explorer.

CVE-2019-0756 is a remote code execution vulnerability in the Microsoft XML Core Services MSXML parser. An attacker can exploit this bug by tricking the user into opening a specially crafted website designed to invoke MSXML through a web browser. Eventually, the attacker would gain the ability to execute malicious code and take control of the user’s system.

CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 and CVE-2019-0773 are all memory corruption vulnerabilities in Microsoft’s scripting engine that exist due to the way Microsoft Edge handles objects in memory. An attacker could exploit these bugs to corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user would trigger this vulnerability if they visited a specially crafted, malicious web page in Edge.

CVE-2019-0784 is a remote code execution vulnerability that exists due to the way ActiveX Data Objects (ADO) handle objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. Alternatively, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2019-0603 is a remote code execution vulnerability in Windows Deployment Services TFTP Server. The bug lies in the way the server handles objects in memory. If an attacker were to exploit this vulnerability, they’d gain the ability to execute arbitrary code with elevated permissions on a target system.

CVE-2019-0697, CVE-2019-0698 and CVE-2019-0726 are remote code execution vulnerabilities in the Windows DHCP client. The vulnerability triggers when the client receives specially crafted DHCP responses to a client, potentially allowing an attacker to execute arbitrary code on the target machine.

CVE-2019-0666 and CVE-2019-0667 are vulnerabilities in the VBScript engine that exist due to the way the engine handles objects in memory. An attacker could use these bugs to corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user could trigger these vulnerabilities by visiting an attacker-created website through Internet Explorer. An attacker could also provide them with an embedded ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

Important vulnerabilities

This release also contains 45 important vulnerabilities:

• CVE-2019-0784
• CVE-2019-0611
• CVE-2019-0612
• CVE-2019-0614
• CVE-2019-0617
• CVE-2019-0665
• CVE-2019-0678
• CVE-2019-0682
• CVE-2019-0683
• CVE-2019-0689
• CVE-2019-0690
• CVE-2019-0692
• CVE-2019-0693
• CVE-2019-0694
• CVE-2019-0695
• CVE-2019-0696
• CVE-2019-0701
• CVE-2019-0702
• CVE-2019-0703
• CVE-2019-0704
• CVE-2019-0746
• CVE-2019-0748
• CVE-2019-0754
• CVE-2019-0755
• CVE-2019-0757
• CVE-2019-0759
• CVE-2019-0761
• CVE-2019-0762
• CVE-2019-0765
• CVE-2019-0766
• CVE-2019-0767
• CVE-2019-0768
• CVE-2019-0772
• CVE-2019-0774
• CVE-2019-0775
• CVE-2019-0776
• CVE-2019-0778
• CVE-2019-0779
• CVE-2019-0780
• CVE-2019-0782
• CVE-2019-0783
• CVE-2019-0797
• CVE-2019-0798
• CVE-2019-0808
• CVE-2019-0809
• CVE-2019-0821

Moderate

There was one moderate vulnerability in this release: CVE-2019-0816, a security feature bypass vulnerability in Azure SSH Keypairs.

Low

The only low vulnerability in this release is CVE-2019-0777, a cross-site scripting vulnerability in Team Foundation.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 46554, 46555, 48051, 48052, 49172, 49173, 49364 - 49369, 49371, 49372, 49378 - 49395, 49400 - 49403