Windows 10 Update Plugs Two Already-Exploited Bugs, But There’s More

• Microsoft issues their Windows 10 March update, fixing 64 bugs, 17 of which are critical.
• Two of the bugs were already under active exploitation, allowing hackers to perform privilege elevation attacks.
• There’s still a vulnerability uncovered by a white-hat researcher, but Microsoft won’t fix it.

Microsoft has just released this month’s cumulative update (KB4489899 – 17763.379) for Windows 10, fixing a total of 64 bugs, 17 critical vulnerabilities, and two Win32k holes (CVE-2019-0797, CVE-2019-0808) that were already under active exploitation. These two bugs allowed for “elevation of privilege” activity through the remote execution of code in kernel mode which would give complete access and permission to the attacker to create or delete accounts, files, etc. This means that if you haven’t updated your operating system yet, you should do so immediately. Other important fixes include an “Active Directory” elevation of privilege vulnerability and a Windows DoS bug.

The Microsoft lists the following key changes while noting that no new features have been introduced with this update:

• Addresses an issue in Microsoft HoloLens with tracking and device calibration that has affected some users. You may notice improvement 10-15 minutes after installing this update, but we recommend resetting the holograms for best results.
• Addresses an issue that may cause users to receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
• Addresses an issue that may degrade graphics and mouse performance with desktop gaming when playing certain games, such as Destiny 2, after installing KB4482887.
• Security updates to Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, Windows Shell, Windows App Platform and Frameworks, Windows Kernel-Mode Drivers, Windows Server, Windows Linux, Windows Hyper-V, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Wireless Networking, the Microsoft JET Database Engine, Windows Kernel, Windows, and Windows Fundamentals.

In the meantime, a security researcher (John Page) has published a proof of concept that unveils another vulnerability that hasn’t been fixed in this update. According to the researcher, an attacker could spoof a Windows dialog box to plant malware into the victim’s system, or perform any other change in the Windows registry by altering what the “Yes” and “No” options in the warning dialog do. So, if the victim clicks the “Yes” button, the process continues.

“The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.”

To this, Microsoft responded by telling the researcher that “The issue submitted does not meet the severity bar for servicing via a security update.” This practically means that they are not planning to fix the bug, a decision that is confusing, to say the least. Microsoft backs this decision by putting the blame on the user, who downloads and runs files from untrusted sources. In addition to that, the flaw needs the user's interaction to work. With the proof of concept code out there however, they should have taken a different approach on this matter.

Do you generally download and run software from untrusted sources on your Windows installation? Let us know in the comments section below, and don’t forget to like and subscribe to our socials, on Facebook and Twitter.