14 DAY TRIAL // Microsoft’s February 2019 Patch Tuesday is one busy patching cycle, as it includes security updates for several products, including Windows, Office, Internet Explorer, Microsoft Edge, Microsoft Exchange, and others.
The software giant resolved a total of 74 vulnerabilities in its software, including several zero-days whose patching should be prioritized this month.
First and foremost, Microsoft has resolved a Windows Information Disclosure vulnerability that was publicly disclosed and which according to the company, wasn’t exploited.
“An information vulnerability exists when Windows improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read the contents of files on disk,” Microsoft says in CVE-2019-0636. The bug exists in all supported versions of Windows and an attacker needs to log in to the affected system before launching an attack.
Second, there’s a critical security bug in Internet Explorer which attackers can exploit by pointing users to a malicious website. Microsoft explains in CVE-2019-0676 that although the flaw wasn’t publicly disclosed, it was already exploited. Again, all versions of Internet Explorer that still get support are being targeted.
Exchange Server updates
Microsoft has also published updates for Exchange Server in order to address security vulnerabilities detailed in CVE-2019-0686 and CVE-2019-0724.
Both are elevation of privilege vulnerabilities in Exchange Server, and Microsoft explains only the first was publicly disclosed.
“Exploitation of this vulnerability requires Exchange Web Services (EWS) and Push Notifications to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user,” Microsoft says about the first vulnerability.
The second also requires a MITM attack, but this time the purpose is to forward an authentication request to a Microsoft Active Directory domain controller.
All patches are available right now from Windows Update on the targeted devices.