Patch Tuesday February 2019
Windows 10 and Windows Server 2016
Two updates this month address a critical vulnerability in the Windows Graphics Device Interface (GDI) that could allow an attacker to take control of an affected system by convincing the user to view certain content. This exploit is also patched in Internet Explorer 10 and 11. There’s a critical memory corruption vulnerability in the DHCP service that could allow an attacker to run arbitrary code by sending a specially crafted packet. There are also 8 remote code vulnerabilities rated Important.
There are 14 critical vulnerabilities patched in Edge, some of which could allow an attacker to take control if the user has admin rights. Another timely reminder that you can reduce the risk of getting owned by removing admin rights from users.
Windows 7 and Windows Server 2008
Windows 7 gets the same Windows Graphics Device Interface (GDI) and DHCP critical patches that are available for Windows 10. Additionally, there are 14 remote code vulnerabilities rated Important and patches for Internet Explorer 10.
Exchange Privilege Escalation Bug
This month, Microsoft released cumulative updates (CUs) for Exchange Server 2010, 2013, 2016, and 2019. What makes these updates different from previous CUs is that they contain an architectural change to the way Exchange Web Services (EWS) push notifications work. A vulnerability in EWS allows an attacker to use push notifications to gain unauthorized access. Microsoft says:
When a client subscribes to Push Notifications from Exchange Server, the notifications that are sent to the client include NTLM information that could be used to authenticate as the server that is running Exchange Server. This information was previously included to allow an authenticated response to subscribed clients. Only Push Notifications are affected. Pull and Streaming Notifications are unaffected.
This bug only affects clients that have push notifications enabled in their environment. While Microsoft had published a workaround, which you can find here, it could cause some client applications to stop working properly. But the latest CUs patch the vulnerability.
- Exchange Server 2019 – Cumulative Update 1
- Exchange Server 2016 – Cumulative Update 12
- Exchange Server 2013 – Cumulative Update 22
- Exchange Server 2010 – Update Rollup 26
Exchange Active Directory Rights
Without going into too much detail, by default Exchange uses a shared permissions model with Active Directory (AD) that gives it extensive rights at the root level of any domain that has Exchange servers. This month’s CUs can be used to modify AD to reduce the scope of objects on which Exchange can write security descriptors. This doesn’t affect organizations that have opted to use the split permissions model, which was first available in Exchange Server 2010. About the security changes released today, Microsoft says:
The combination of the directory permission changes and EWS security change provides the best possible protection against possible attacks, meaning that Active Directory Split Permissions are not required, but still optional.
Exchange Legacy Authentication Protocols
Exchange Server 2019 CU1 includes new cmdlet support to create policies that restrict legacy authentication protocols on a per protocol and user by user basis. You can already use Azure AD Conditional Access policies to control how legacy authentication protocols are used in Office 365. See Understanding Azure Active Directory Conditional Access on Petri for more information.
For further details on how to make changes to your environment, check out Microsoft’s Knowledgebase article here. And for a more in-depth look at this month Exchange CUs, Tony Redmond has a writeup here on Petri: Exchange Privilege Elevation Vulnerability Addressed by Microsoft Patches.
SharePoint Server gets patched for a critical remote code execution flaw that could allow an attacker to run any code in the context of the application pool and SharePoint server farm account. This vulnerability affects SharePoint 2016, 2013, 2010, and 2009.
There are no critical flaws patched in Office this month.
Adobe Flash and Acrobat Reader
Finally, there is the usual raft of patches for Adobe products. There are 43 critical flaws patched in Acrobat and Reader, including a permanent fix for a bug that could allow remote attackers to harvest NTLM password hashes.