Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

77 updates in Microsoft patch Tuesday

Microsoft released 77 updates, 20 of which were classified as critical, in this months patch Tuesday announcement.

The updates included fixes for Microsoft Windows, Office, IE, Edge resolving a total of 74 unique CVEs this month including one actively exploited zero day flaw in Internet Explorer, according to its February Patch Tuesday release.

The zero day  allows an attacker to read the contents of files on disk and can as the attacker can persuade a user to open a malicious website to exploit the vulnerability.

The upgrade also addressed a privilege escalation proof of concept for Microsoft Exchange Server would effectively allow an attacker to elevate their privilege level to Domain Admin or grant the attacker access to other users inboxes.

In addition, a the updates addressed a proof of concept dubbed “PrivExchange” that  would allow an attacker to perform a man-in-the-middle attack that would allow them to elevate privileges on the Exchange Server to a Domain Admin.
Microsoft also released updates for Exchange Server resolving a vulnerability in the Exchange Web Services contract between EWS clients and Exchange to not allow authenticated notifications. Instead it would make these notifications anonymous so the attacker could not gain access to another user's mailbox.

Chris Goettl, director of product management, security, for Ivanti, said Microsoft OS, browser, and Office updates should be a priority “especially the OS and IE with actively exploited and publicly disclosed vulnerabilities being resolved." 

He urged users to quickly patch escalation vulnerabilities with working proof-of-concept code available to the public and and that an attacker could gain Domain Admin rights to a domain controller or access to a user's mailbox.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.