Welcome to April’s Automox Patch Tuesday breakdown. This month’s release follows a recent trend with more than 70 vulnerabilities seeing patches across the Microsoft software realm. This includes many flavors of the Windows operating system itself, the expected browser patches for both Internet Explorer and Edge, and of course the productivity tools of Office, Exchange, and Sharepoint. In the Adobe world, there are patches for Adobe Acrobat Reader and Flash Player.
Don't forget to register for our joint webinar with SentinelOne covering April's Patch Tuesday on Tuesday, April 16th, from 1:00pm to 2:00pm ET.
In this post, we want to showcase a few notable updates this month that truly underscore the importance of implementing a solid patch management process AND following it diligently! Two of the Windows OS vulnerabilities CVE-2019-0803 and CVE-2019-0859 are being actively exploited in the wild. However, as you’ll see shortly, it’s not always the perceived dangerous ones that can be the most damaging to your enterprise environments.
Before we unpack the two vulnerabilities that most will think are the very “serious” ones, let's discuss two seemingly innocent and relatively benign updates. Choosing somewhat randomly (since we have plenty of vulnerabilities to work with) but intentionally let’s talk about CVE-2019-0853, a GDI+ Remote Code Execution vulnerability, and CVE-2019-0822, a Microsoft Graphics Components Remote Code Execution vulnerability. You might be thinking “who really cares about those? What about the two Windows operating system vulnerabilities that are being actively exploited?” We’ll get to those, but first, let’s think like an attacker…
What is the biggest vulnerability that any organization, in any sector and of any size faces? Your employees. Why? Because people click on shit! Almost compulsively and with seemingly reckless abandon. Imagine an appropriately targeted spear phishing campaign zoning in on your organization. Unbeknownst to many of you, it’s beyond trivial for attackers to effectively research your employees and your organization by way of social media and other tools. Once they have done their reconnaissance, perhaps they craft an email to your executive team right around the end of quarter highlighting key deals needed to wrap up. Maybe it’s a spoofed email from your CEO asking you to review key financial metrics targeted at your sales leadership team. To a dedicated attacker, the potential ideas are almost limitless.
Now, let’s get back to CVE-2019-0853 and CVE-2019-0822 and why they truly highlight the critical importance of solid patch management practices in your environment. Both of these are Remote Code Execution vulnerabilities. They impact various flavors of the Windows operating system (Windows 10 back to Windows 7, and more) and Microsoft Office, both installed versions of Office for Windows and Mac including Office 365. To weaponize these exploits an attacker simply needs to get a user to open (remember users love to click on shit) a specially crafted file and voila, you just got Pwned. Too bad your systems weren’t patched. Remember the spear phishing examples above? You should have a new appreciation for how trivially easy it is for attackers to gain a foothold inside your environment.
Alright, now let’s discuss the two exploits that Microsoft knows are actively being exploited in the wild. These include CVE-2019-0803 and CVE-2019-0859 and both are somewhat generic Win32k Elevation of Privilege exploits that address so many versions of the Windows operating system that it’s cumbersome to list them all in this blog post. While Microsoft didn’t provide details as to how these are being weaponized, think about the attack scenarios above and imagine those two exploits being utilized with these two exploits. Attackers can now execute any arbitrary code they choose, in kernel mode no less. They could then simply install programs—view, change, or delete data—or create new accounts with full user rights. That’s some pretty scary stuff, to say the least.
If you own security inside of your organization and you do not have patch management policies and/or you don’t follow the one that you do have, then it’s time for you to act now. As the above scenarios articulated with scary clarity, it’s more important than ever to ensure that your systems are getting patched in a timely manner.
Automox can help ensure your systems are adequately patched in a timely manner in order to protect your organization against any of these vulnerabilities. As a best practice, you should always ensure that you have at least one patch policy assigned to all of your devices for Critical, Medium, and Low severity patches. These updates are generally Security and Cumulative software updates. Automox is designed to automate your response to zero-day vulnerabilities like this and others across the Windows, Mac, and Linux operating systems.
Current Automox customers can create policies that automatically handle the patching and execution of important updates for you every single month. Alternatively, you may contact our support team for any technical assistance at email@example.com.
If you are not currently an Automox customer, we invite you to sign up for a free 15-day trial of our cloud-based, automated patch management solution. Visit www.automox.com/signup to get started.