Microsoft’s Patch Tuesday updates for March handles 64 vulnerabilities, including two Windows Zero Days.
One Zero Day a Win32k-related privilege escalation vulnerability (CVE-2019-0797). The flaw affects Windows 10, Windows 8.1, Windows Server 2012, Windows Server 2016, and Windows Server 2019. The good news is Microsoft believes exploitation is unlikely against the latest versions of Windows.
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, according to the advisory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The Zero Day came to Microsoft via Kaspersky Lab. Researchers said the vulnerability is undergoing exploitation in targeted attacks.
The other Zero Day is another Win32k Elevation of Privilege Vulnerability (CVE-2019-0808), which Google’s Threat Analysis Group reported to Microsoft after seeing it used in targeted attacks.
The vulnerability, which affects the Win32k component, allows an authenticated attacker to elevate privileges and execute arbitrary code in kernel mode, Microsoft said in an advisory.
The flaw affects Windows 7 and Windows Server 2008.
The March security release has security updates for the following software:
• Adobe Flash Player
• Internet Explorer
• Microsoft Edge
• Microsoft Windows
• Microsoft Office and Microsoft Office SharePoint
• Team Foundation Server
• Skype for Business
• Visual Studio