Governance & Risk Management , Patch Management
Microsoft Patches 2 Windows Flaws Already Being Exploited
September's Patch Tuesday Addresses Elevation of Privileges FlawsAs part of its September Patch Tuesday security update, Microsoft issued software fixes for two vulnerabilities in several versions of Windows that it says are being exploited by attackers in the wild.
See Also: Identity Security and How to Reduce Risk During M&A
These two zero-day vulnerabilities are considered elevation of privilege flaws that could allow an attacker to run malicious code by using administrative privileges within an infected Windows device, according to the Microsoft advisory.
The two vulnerabilities were among nearly 80 vulnerabilities for which Microsoft issued patches on Tuesday. Some 17 vulnerabilities were listed as critical.
Zero-Day
One of the zero-day vulnerabilities that’s already being exploited - referred to as CVE-2019-1214 - is found in older versions of Windows and affects the operating system's Common Log File System Driver. If exploited, it can enable an attacker to gain administrative privileges within an infected Windows devices, according to an analysis by TrendMicro's Zero Day Initiative.
The second vulnerability that’s being exploited - CVE-2019-1215 - affects the ws2ifsl.sys, or Winsock service, which is found in older and newer versions of Windows, according to the TrendMicro analysis. An attacker can use this flaw to escalate privileges from user to administrator within an infected devices to spread malicious code. The TrendMicro analysis notes that this particular flaw had been exploited earlier as well.
In its analysis, TrendMicro researchers note that attackers frequently target low-level Windows services as a way to spread malware through a network. "Regardless, since this is being actively used, put this one on the top of your patch list," the TrendMicro analysis advises.
Microsoft's Security Response Center team did not reveal where or how these two vulnerabilities are being exploited in the wild. Within the alert for CVE-2019-1214, however, the company credits researchers with China's Qihoo 360 security firm with first discovering the flaw and reporting it.
"Patching should be prioritized," Jimmy Graham, an analysis with security firm Qualys notes. "Privilege escalation vulnerabilities are commonly used [by attackers] along with Remote Code Execution where the RCE does not grant administrative rights."
Patching strategies should be part of a larger discussion on vulnerability management, says Phil Venables, a board director and senior adviser for risk and cybersecurity at Goldman Sachs Bank (see: Software Bugs: Gotta Catch 'Em All?).
Remote Code Execution
In addition to issuing patches for the two vulnerabilities currently being exploited, Microsoft issued four patches to address remote code execution bugs within Windows.
Microsoft did not say whether these types of remote code execution flaws are "wormable," meaning that once exploited, the malicious code can move from system to system in the same way that the WannaCry malware infected networks in 2017.
Microsoft has been warning about the wormable BlueKeep vulnerability, which the company first patched in May. Last week, Metasploit researchers released a exploit that uses the BlueKeep vulnerability so that security teams could see what attackers could do if they took advantage of the flaw (see: Weaponized BlueKeep Exploit Released).
Graham and the researchers at TrendMicro both note that in the case of these newly patched remote code execution flaws, an attacker would have to get a victim to connect to a server under their control, which reduces the likelihood that these are wormable in the same way that BlueKeep is.
"To exploit these vulnerabilities an attacker would need to get a user to connect to a malicious or compromised [Remote Desktop Protocol] server," Graham notes. "The vulnerabilities were discovered by Microsoft as a result of internal vulnerability testing against the Remote Desktop Client. These patches should be prioritized on all systems where the Remote Desktop Client is used."