Microsoft's plasters over critical flaws in IE and Exchange

Microsoft plasters over some 77 vulnerabilities

MICROSOFT HAS DIPPED into its digital paste bucked and slathered a load of patches over zero-days vulnerabilities in Internet Explorer and Exchange.

As part of Redmond’s Patch Tuesday efforts, Microsoft has fixed 77 security flaws in total. But the nastiest ones were in IE – you know Redmond’s browser-not-browser – and Microsoft Exchange.

The IE vulnerability has allowed hackers to probe the presence of files on an affected PC – Microsoft said the flaw has been exploited out in the wild – providing that the attackers managed to lure victims to a malicious site whereby the vulnerability, listed as CVE-2019-0676, could be exploited.

“The browser flaw exists in cases when IE improperly handles objects in memory. An attacker who successfully exploits it could test for the presence of files on disk. In order to take advantage of the vulnerability, an attacker has to persuade a user to visit a malicious site,” security boffins at Trend Micro said, adding some context to the vulnerability.

The Exchange flaw could have allowed hackers to remotely gain administrative control over an Exchange server with an unprivileged mailbox account.

CVE-2019-0686, or PrivExchange to give it its more snappy name, has only been used as a proof-of-concept exploit, though Microsoft said it’s likely that the vulnerability will get exploited out in the wild if it’s not patched out by IT admins.

“The vulnerability allows an attacker to gain the same rights as any other Exchange server user and to access other users’ mailboxes,” said Trend Micro. “In addition, system administrators are advised to prioritize patching a critical-rated Windows DHCP server remote code execution vulnerability (CVE-2019-0626). The bug allows attackers to take over a network’s DHCP server by sending it a specially crafted packet.”

Redmond’s security firm also patched a suite of other security holes, such as vulnerable parts of the Edge browser, Office, Visual Studio and Microsoft Dynamics.

If you happen to be an IT admin then best get on the patching bandwagon, as 20 of the vulnerabilities are listed as critical and should be fixed as soon as possible before opportunistic hackers come winging their way in your direction. µ

Further reading

Source link


Please enter your comment!
Please enter your name here