Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update | The first stop for security news | Threatpost

Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update

Products receiving the most patches included Microsoft browsers and browser-related technologies such as the company’s JavaScript engine Chakra.

Microsoft patched 15 critical vulnerabilities this month as part of its March Patch Tuesday roundup of fixes. In all, the company issued 75 fixes, with 61 rated important. Products receiving the most urgent patches included Microsoft browsers and browser-related technologies such as the company’s JavaScript engine Chakra.

In all 21 browser-related fixes were rolled out by Microsoft, 14 of which are rated critical and the remaining seven ranked important. Of the bugs, “scripting engine memory corruption vulnerabilities” represented 14 of the flaws.

Each of the browser scripting issue allowed adversaries to exploit flaws in the way the browser and Microsoft’s JavaScript engine Chakra handles objects in memory. For example, with CVE-2018-0930, a web-based attacker could rig a website to exploit the vulnerability through Microsoft Edge or run malicious ads on an unsuspecting website to create conditions amenable to an attack.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft wrote. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

Worse, if a user is logged into a system as an administrator, an attacker could take control of an affected system and install programs, view folder contents and change, or delete data, Microsoft said.

Part of this month’s round of patches also included an additional update for the Meltdown vulnerabilities. Windows 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012 now have mitigations for Meltdown and Spectre.

“The Windows kernel received a lot of attention this month likely due to the ongoing attention on Meltdown and Spectre vulnerabilities. I stopped counting the CVEs after a dozen.  Good news is I did not see anything higher than an important rating, but that is a lot of changes in the kernel,” said Chris Goettl, director of product management, security, for Ivanti.

Worth noting are several additional bugs, including an important remote code execution vulnerability (CVE-2018-0886) in Microsoft’s Credential Security Support Provider protocol (CredSSP), used to chain user authentication from one client to another.

“As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote.

A Windows Shell vulnerability (CVE-2018-0883) is also worth highlighting, noted Jimmy Graham, director of product management at Qualys in a Patch Tuesday blog post.  The bug is “a remote code execution vulnerability in the Windows Shell. It does require the user to download and open a malicious file in order to exploit it, but this patch should also be prioritized for workstation-type systems,” he wrote.

Office-related bug fixes tied to SharePoint numbered 13, pointed out the Zero Day Initiative team blog. “All of these involve bugs with input sanitization that could allow cross-site scripting (XSS) attacks,” according to ZDI.

“This month also sees multiple Exchange patches, which always tend to make sysadmins nervous. The March release is rounded out by patches for ASP.NET and Windows OS components. Folks with ASP.NET Core applications should definitely take note since some of these bugs could cause those apps to crash,” ZDI said.

Suggested articles

Discussion

  • Taylor on

    Great update. Now my laptop won't start.
  • Florist on

    I had to restore our point of sale computer at our flower shop. The update causes the computer to crash. We are running Windows 7 pro.Yay Microsoft!
  • D on

    Update is causing Word 2106 to crash on save
  • Harry Barracuda on

    All worked fine on my three machines (Lenovo, Dell, MSI). Just sayin'.
  • art on

    I have multiple PCs that have lost device drivers and lots are not working.
  • Bev on

    My remote access stopped working. Our IT administrator had never seen the error. I too had to restore
  • wshawn on

    This is the reason, I forbid clients from running Microsoft web browsers. They should NEVER have had access to the user space or authentication.
  • Coz on

    This broke my machine too. 6 or so crashes so far in the past 2 days. The one I just saw was a heap corruption so something is crapping all over the memory. And the only reason it's "only 6" is that it had to stay crashed all day while I was gone. If I had the reboot on bluescreen enabled I'm sure it'd be dozens of times by now.
  • Anonymous on

    Virtual Machine lost its IP address
  • anonymous on

    This is not a good update. I've done a system restore to get rid of it so that I have connectivity again.
  • keith on

    windows 7 update dropped USB virtual port for thermal printer. Had to reinstall virtual port, then comes back as 'printer not registered.' Now I have to hunt through security settings to remove the block. Frustrating!!!!
  • elle on

    my dell laptop crashed
  • Anonymous on

    My comp started to f up on start up and get stuck unless I hard reset which I never wanna do. And my event log has tons of errors and warnings only starting after the update
  • Richard on

    "We couldn't complete the update, undoing changes" Happens everytime I wake PC from sleep or restart it. And SatNad, THIS is why we don't want forced auto Windows updates. Your quality control sucks. In fact, I think Steve Ballmer had a better track record when he was Microsoft's CEO.
  • Paul Meiners on

    Thanks Microsoft, made 4 hours billable time because your patches removed the teaming of two Intel Nics at a client. Nice to have 2 DHCP servers on the same server, multiple paths,and other fun issues. Where are you hiring your patch crews from.... perhaps from the Romper Room gang or Ex-Fisher Price employees. Getting to wonder... I might be safer without Microsoft updates.
  • Talentwise on

    3/24/19. HP is in a non-booting loop. Attempts, hp logo appears, a me box flickers on and off, then it says trying to recover the previous version before doing it all again. Microsoft is it own worst enemy when it comes to patches and updates. Even with a new "working" patch to fix this one, all these wasted hours for everyone having to system restore (if they have a backup).
  • KandaK on

    Kb4089229 has stuffed the network cards settings on windows 2008 servers. Microsoft confirmed this is known issue with the update.
  • john on

    thanks