- Microsoft pushes this month’s security patch that fixes 77 flaws in a multitude of their products.
- There are 16 vulnerabilities rated as critical, but none of them are marked as “under active exploitation”.
- Users are advised to apply the patch immediately, as always with this type of updates.
This month’s Windows patch is fixing 77 vulnerabilities in various Microsoft products, 16 of which are rated “critical”, 60 classified as “important” (two are under exploitation), and one being “moderate”. It goes without saying that people are advised to apply these updates as soon as possible, as OS security patches should be treated as the most important kind of updates that a system can receive. The patch does not concern only Windows 10, but also Windows 7, Windows 8.1, Server 2008, Server 2012, Server 2016, and Server 2019.
The products that are covered by this month’s security patch are Internet Explorer, Microsoft Edge, ChakraCore, Microsoft Office, Microsoft .NET, Microsoft Windows, DirectWrite, Graphics Device, Interface (GDI), Microsoft SQL Server, Team Foundation Server, Microsoft Exchange Server, Azure, Microsoft Visual Studio.
The 16 vulnerabilities that are rated “critical” are the following:
CVE-2019-0785: Memory corruption flaw in the Windows Server DHCP service, allowing an attacker to run arbitrary code on it or cause the DHCP to become nonresponsive by sending specially crafted packages.
CVE-2019-1001 and 1004: Memory corruption flaw in Internet Explorer and Edge, allowing an attacker to create a malicious webpage that would enable them to execute arbitrary code onto the victim’s machine.
CVE-2019-1062, 1092, 1103, 1106, and 1107: Memory corruption vulnerability in the Chakra Scripting Engine, allowing an attacker to execute arbitrary code onto the victim’s machine, after the latter visits a specially crafted webpage by using Microsoft Edge.
CVE-2019-1113: A remote code execution (RCE) flaw in the .NET Framework, allowing an attacker to execute arbitrary code after convincing the victim to open a maliciously crafted file.
CVE-2019-1006: Authentication bypass vulnerability in the Windows Communication Framework (WCF), allowing the signing of SAML tokens with arbitrary symmetric keys. This allows an attacker to impersonate a user and result in privilege escalation.
CVE-2019-1056 and 1059: RCE flaw existing in the way the Internet Explorer 11 scripting engine handles objects in memory. An attacker could execute arbitrary code and gain user rights through a memory corruption path.
CVE-2019-1063 and 1104: RCE vulnerability based on how Internet Explorer 10 and 11 accesses objects in memory, opening the way to memory corruption and arbitrary code execution.
CVE-2019-1072: RCE in Azure DevOps Server and Team Foundation Server, allowing an attacker to execute code on the target using a specially crafted file and bypassing authentication.
CVE-2019-1102: RCE vulnerability in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to take full control of the compromised system through a whole set of ways, including convincing the victim to open a malicious document, visiting a malicious website, or clicking on a malicious email attachment.