Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows Server

Patch Tuesday February 2019

Windows 10 and Windows Server 2016

Two updates this month address a critical vulnerability in the Windows Graphics Device Interface (GDI) that could allow an attacker to take control of an affected system by convincing the user to view certain content. This exploit is also patched in Internet Explorer 10 and 11. There’s a critical memory corruption vulnerability in the DHCP service that could allow an attacker to run arbitrary code by sending a specially crafted packet. There are also 8 remote code vulnerabilities rated Important.

There are 14 critical vulnerabilities patched in Edge, some of which could allow an attacker to take control if the user has admin rights. Another timely reminder that you can reduce the risk of getting owned by removing admin rights from users.

Windows 7 and Windows Server 2008

Windows 7 gets the same Windows Graphics Device Interface (GDI) and DHCP critical patches that are available for Windows 10. Additionally, there are 14 remote code vulnerabilities rated Important and patches for Internet Explorer 10.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Exchange Privilege Escalation Bug

This month, Microsoft released cumulative updates (CUs) for Exchange Server 2010, 2013, 2016, and 2019. What makes these updates different from previous CUs is that they contain an architectural change to the way Exchange Web Services (EWS) push notifications work. A vulnerability in EWS allows an attacker to use push notifications to gain unauthorized access. Microsoft says:

When a client subscribes to Push Notifications from Exchange Server, the notifications that are sent to the client include NTLM information that could be used to authenticate as the server that is running Exchange Server. This information was previously included to allow an authenticated response to subscribed clients. Only Push Notifications are affected. Pull and Streaming Notifications are unaffected.

This bug only affects clients that have push notifications enabled in their environment. While Microsoft had published a workaround, which you can find here, it could cause some client applications to stop working properly. But the latest CUs patch the vulnerability.

Exchange Active Directory Rights

Without going into too much detail, by default Exchange uses a shared permissions model with Active Directory (AD) that gives it extensive rights at the root level of any domain that has Exchange servers. This month’s CUs can be used to modify AD to reduce the scope of objects on which Exchange can write security descriptors. This doesn’t affect organizations that have opted to use the split permissions model, which was first available in Exchange Server 2010. About the security changes released today, Microsoft says:

The combination of the directory permission changes and EWS security change provides the best possible protection against possible attacks, meaning that Active Directory Split Permissions are not required, but still optional.

Exchange Legacy Authentication Protocols

Exchange Server 2019 CU1 includes new cmdlet support to create policies that restrict legacy authentication protocols on a per protocol and user by user basis. You can already use Azure AD Conditional Access policies to control how legacy authentication protocols are used in Office 365. See Understanding Azure Active Directory Conditional Access on Petri for more information.

For further details on how to make changes to your environment, check out Microsoft’s Knowledgebase article here. And for a more in-depth look at this month Exchange CUs, Tony Redmond has a writeup here on Petri: Exchange Privilege Elevation Vulnerability Addressed by Microsoft Patches.

SharePoint Server

SharePoint Server gets patched for a critical remote code execution flaw that could allow an attacker to run any code in the context of the application pool and SharePoint server farm account. This vulnerability affects SharePoint 2016, 2013, 2010, and 2009.

Microsoft Office

There are no critical flaws patched in Office this month.

Adobe Flash and Acrobat Reader

Finally, there is the usual raft of patches for Adobe products. There are 43 critical flaws patched in Acrobat and Reader, including a permanent fix for a bug that could allow remote attackers to harvest NTLM password hashes.

 

 

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Patch Tuesday February 2019”

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: