Microsoft released patches for two Win32k bugs actively under attack, along with fixes for four additional bugs that are publicly known, as part of its March Patch Tuesday security bulletin. The Win32k bugs are both elevation of privilege vulnerabilities, rated important, and tied to the way Windows handles objects in memory.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” wrote Microsoft in its security bulletin for both Win32k bugs (CVE-2019-0797, CVE-2019-0808).

One of the bugs being actively exploited was reported by Kaspersky Lab, while the other was reported by the Google Threat Analysis Group. News broke last week that two vulnerabilities – CVE-2019-0808 and a separate Google Chrome CVE-2019-5786 – were being actively exploited in the wild together. Now all three zero-days have been patched.

The four additional bugs, rated important, which are publicly known exploits (CVE-2019-0683, CVE-2019-0754, CVE-2019-0757 and CVE-2019-0809), ranged from an Active Directory elevation of privilege vulnerability to a Windows denial of service vulnerability.

The most interesting of the above bugs is CVE-2019-0757 – a NuGet package manager tampering vulnerability. According to commentary by researchers at the Zero Day Initiative, the patch corrects a bug in the NuGet package manager that allows an attacker to modify a package’s folder structure.

“If successful, [an adversary] could modify files and folders that are unpackaged on a system,” ZDI wrote. “If done silently, an attacker could potentially propagate their modified package to many unsuspecting users of the package manager. Fortunately, this requires authentication, which greatly reduces the chances of this occurring. This is one of the four publicly known bugs for this month, so if you’re a NuGet user, definitely get this patch.”

17 Critical Bugs, Slayed

In all, Microsoft reported 64 unique bugs, 17 critical, 45 rated important, one moderate and one rated low in severity.

“There are three Windows DHCP Client Remote Code Execution vulnerabilities with a 9.8 CVSS score in this month’s release,” wrote Satnam Narang, senior research engineer at Tenable in security brief. “This is the third straight month that Microsoft patched high severity bugs in either Windows DHCP Client or Windows DHCP Server, signaling increased attention on finding DHCP bugs.”

Those DHCP bugs (CVE-2019-0697, CVE-2019-0698, CVE-2019-0726) could allow attackers to execute their code in the DHCP client on affected systems.

“These bugs are particularly impactful since they require no user interaction – an attacker send a specially crafted response to a client – and every OS has a DHCP client,” wrote Dustin Childs in a blog post on the ZDI. “There would likely need to be a man-in-the-middle component to properly execute an attack, but a successful exploit would have wide-ranging consequences.”

Battling Bad Scripting

This month’s critical and important bug fixes were dominated by code execution flaws impacting Microsoft’s Edge and Internet Explorer browsers. A Chakra scripting engine memory corruption vulnerability (CVE-2019-0592) patched by Microsoft is typical.

The flaw (CVE-2019-0592) is tied to the way the Chakra JavaScript scripting engine handles objects in memory in Microsoft Edge. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft wrote. The attack scenario includes a booby-trapped website where specially crafted content triggers the attack chain.

On Tuesday, Microsoft also include three advisories. Here they are verbatim:

ADV190009 announces SHA-2 Code Sign support for Windows 7 SP1 and Windows Server 2008 R2. This update will be required for any new patches released after July 2019. Older versions of WSUS should also be updated to distribute the new SHA-2 signed patches.

ADV190005 gives guidance on sharing the same user account across multiple users. Microsoft discourages this behavior and considers it a major security risk.

ADV190005 provides mitigations for a potential denial-of-service in http.sys when receiving HTTP/2 requests. The patch allows users to set a limit on how many SETTINGS parameters can be sent in a single request.

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.