Microsoft and Adobe have issued patches for 150 vulnerabilities this February 2019 Patch Tuesday. These updates included patches for 43 critical Adobe flaws and 20 critical Microsoft flaws. Microsoft only identified one vulnerability that hackers were actively exploiting in the wild.
The Google Project Zero team identified the exploited vulnerability. The vulnerability, CVE-2019-0676, is in Internet Explorer 11. Hackers can exploit the flaw if a user visits an individually crafted website. The flaw is an information disclosure issue due to how IE handles objects in the memory. An attacker can check a user’s hard drive for specific files. Microsoft has already advised all users to switch to Edge and not to use IE as the default browser due to security risks associated with IE.
Microsoft issued fixes for four vulnerabilities that were previously made public before a patch being released. Microsoft rated all four flaws as “important”. One of those, the Microsoft Exchange Server flaw known as PrivExchange (CVE-2019-0686) was publicly disclosed last week. This privilege escalation vulnerability could allow a threat actor with a mailbox account to gain Domain Administrator privileges which would allow access to domain user credentials.
Microsoft covered a significant number of their products in this Patch Tuesday. Patches were issued for Windows, Microsoft Office, the .NET Framework, Visual Studio, Exchange Server, Team Foundation Server, Asure IoT SDK Dynamix, Azure, IE, Edge, and Adobe Flash Player. In addition to the 20 critical vulnerabilities, Microsoft rated 54 “important”.
If a hacker were to exploit any of the critical vulnerabilities, they could successfully execute code remotely. The critical vulnerabilities are in IE, Edge, Windows, and Sharepoint. A Windows DHCP Server RCE memory corruption vulnerability (CVE-2019-0626) has the highest CVSS v3 score of all of the addressed flaws, with a rating of 9.8.
Adobe has fixed 75 important and critical vulnerabilities across its suite of products. Forty-three Adobe Reader and Adobe Acrobat and have been rated critical, although none are believed to have been exploited in the wild.