March Patch Tuesday shuts down two zero-day exploits
In addition to the March Patch Tuesday updates, Microsoft's attempts at improving performance following Spectre variant 2 patches backfire for some users on Windows 10.
Microsoft delivered fixes for 64 unique vulnerabilities, with 17 rated critical, including two zero-day vulnerabilities and four public disclosures on March Patch Tuesday.
Microsoft closed two zero-days (CVE-2019-0797 and CVE-2019-0808) for elevation-of-privilege vulnerabilities related to how the Win32k component improperly handles objects in memory. A separate vulnerability in Google Chrome (CVE-2019-5786) allowed attackers who used the CVE-2019-0808 bug to run malicious code on Windows 7 and Windows 2008 systems. Google updated Chrome to address the issue on its side.
"Administrators will want to [update] Chrome and all OSes as quickly as possible this month to fully patch that [CVE-2019-0808] zero-day," said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
CVE-2019-0797 affects Windows 8.1, Windows 10 on the client systems and Windows 2012, Windows 2012 R2, Windows 2016 and Windows 2019 on server systems.
March Patch Tuesday changed how Win32k handles objects in memory to fix the flaws highlighted in CVE-2019-0797 and CVE-2019-0808.
Microsoft addresses four public disclosures
Despite the four public disclosures, each rated important, most organizations are most likely not going to be exposed to any serious risk until administrators apply the March Patch Tuesday fixes, according to Goettl.
"There is proof that these can be exploited. It would require either some significant forethought on how you would use it or would require access to the environment to exploit the vulnerabilities, but each of them could be used in a live attack scenario," Goettl said.
Microsoft resolved a denial-of-service vulnerability (CVE-2019-0754) caused by Windows improperly handling objects in memory for all OSes. The targeted system can stop responding if an attacker gains access to the system and runs a specially crafted application.
An elevation-of-privilege vulnerability (CVE-2019-0683) affects Windows Server 2008 systems and Windows 7. If an attacker gains access to an Active Directory trusted forest, they could send a request delegation of a ticket-granting ticket (TGT) for an identity in the forest. After this, the attacker could get access to system services. Microsoft's update disables TGT delegation by default.
Microsoft Visual Studio 2017 version 15.9 is susceptible to a remote code execution vulnerability (CVE-2019-0809). The exploit is triggered when an attacker puts a malicious dynamic link library (DLL) file on a local system and gets a user to run an executable. The March Patch Tuesday update fixes the way Visual Studio certifies input before loading a DLL file.
Microsoft also closed a NuGet Package Manager tampering vulnerability (CVE-2019-0757) that affects Linux and Mac installations by correcting permissions on NuGet folders. Without this fix, an attacker could change the folder contents of a package before the building or installation of an application.
Earlier update to mitigate Spectre slowdown backfires
Windows 10 and Windows Server 2019 users may have noticed a significant performance hit after installing a March 1 cumulative update. Microsoft recommended users pull the update until it can revisit the fix.
The update included an implementation of Retpoline, which is code Google made available to minimize CPU slowdowns after applying Spectre variant 2 patches. But various reports indicated workload performance actually suffered after applying this update. It is unclear if Retpoline was part of the speed problem.
Keep up with vulnerabilities outside monthly updates
Prior to March Patch Tuesday, Microsoft issued an advisory (ADV190005) to mitigate an IIS bug that could be used in denial-of-service (DoS) attacks.
Unpatched IIS servers that attempt to process a malicious HTTP/2 request could see CPU usage jump to 100% to lock up the system. The bug affects Windows 10, Windows Server 2016, and Server Core versions 1709 and 1803. To mitigate this issue, Microsoft gave administrators a way to set thresholds for HTTP/2 requests on IIS servers.
"[The IIS bug] will likely never be patched because it's a default setting," Goettl said. "If people want to prevent this -- you can call it a DoS attack -- it can only be stopped if you kill the connection. It would be best for people to put that configuration in place so they can put this behind them."
Expert advises all systems update to SHA-2 before June
Administrators have until July to update Windows 7, Windows Server 2008 and Windows Server 2008 R2 systems to SHA-2 code signing, or machines running those OSes won't get further patches.
Microsoft signs its OS updates with both the SHA-1 and SHA-2 hash algorithms, but recently uncovered shortcomings in the SHA-1 algorithm that could allow an attacker to deploy malicious code during the update process.
Microsoft updates will contain only the SHA-2 algorithm after July 2019. Administrators should prepare for this SHA-2 migration using Microsoft's guidance that details the rollout.
"Other than if you have [older systems than Windows 2008], there isn't really a reason not to do this unless a vendor you use has dependencies on SHA-1 and they have to check it," Goettl said. "Some companies may want to test it early to make sure it doesn't break anything else."