Microsoft has rolled out a series of crucial updates as part of its monthly “Patch Tuesday” initiative, aiming to address a total of 64 CVE-listed vulnerabilities in its Windows operating systems and various applications. Among these vulnerabilities, 17 have been classified as critical, 45 as important, while one is considered moderate and another low in severity.
The recently released update targets security flaws found across several Microsoft products, including Windows, Internet Explorer, Edge, and Microsoft Office applications, as well as Visual Studio NuGet and Skype for Business. Notably, four vulnerable components, all categorized as important, had been publicly disclosed, but no active exploitation has been reported as of now.
A significant concern is the resolution of two zero-day privilege escalation vulnerabilities that hackers are currently exploiting. Both vulnerabilities reside within the Win32k component of Windows and have been rated as important. Google previously alerted the tech community to one of these flaws, which was being exploited alongside a vulnerability in Chrome’s web browser.
Specifically, one zero-day vulnerability, identified as CVE-2019-0808, permits remote attackers to execute arbitrary code on systems running Windows 7 or Server 2008. The second zero-day, CVE-2019-0797, which affects Windows versions 10, 8.1, and various server editions, also enables similar attacks. Security researchers from Kaspersky Labs have linked this vulnerability to targeted exploits by threat actors including FruityArmor and SandCat.
The recent updates also address 17 critical vulnerabilities that predominantly facilitate remote code execution attacks. These vulnerabilities impact multiple versions of Windows and are primarily found within the Chakra Scripting Engine, VBScript Engine, and DHCP Client. The important vulnerabilities can lead to various security risks, including privilege escalation, information disclosure, and denial of service attacks.
Given the urgency of these updates, IT administrators and end users are strongly advised to apply the patches promptly to mitigate potential exploitation. To install the latest security updates, users can navigate to Settings → Update & Security → Windows Update and select “Check for updates.”
In an additional enhancement aimed at improving user safety on Windows 10, Microsoft has introduced a feature that automatically uninstalls problematic updates if they cause startup failures. This new measure aims to provide a safety net, allowing users to recover their systems without manual intervention.
Furthermore, Adobe has also released security patches today, addressing two critical vulnerabilities that could allow arbitrary code execution in Adobe Photoshop CC and Adobe Digital Editions. Users are urged to update their software to the latest versions to remain secure against these vulnerabilities.
For business owners and system administrators, staying informed about such updates is crucial for safeguarding their organizations against rising cyber threats. Employing techniques aligned with the MITRE ATT&CK framework, including persistence and privilege escalation tactics, can help in understanding the potential misuse of these vulnerabilities and strengthen defenses against attacks.