The scheduled Microsoft March Patch Tuesday update bundle has rolled-out. This update bundle also addresses numerous security flaws. In addition, it also fixes two zero-day vulnerabilities affecting Windows.
Fixes For Two Zero-Day Flaws Targeting Windows Users
Microsoft has released the scheduled updates for March 2019. This giant update bundle includes two zero-day flaws.
Reportedly, one of these zero-day flaws was under wild exploits as revealed by Google earlier. Together with a zero-day flaw (CVE-2019-5786) in Google Chrome, the hackers exploited this Windows 7 zero-day (CVE-2019-0808) as a security sandbox escape. About this flaw, Microsoft stated in its advisory,
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
While Google quickly fixed the vulnerability at their end with the release of Chrome Chrome 72.0.3626.121, Microsoft kept working on a fix. They have now released the patch for this flaw for Windows 7 32-bit systems users.
The other zero-day vulnerability patched by Microsoft is also a privilege escalation flaw similar to the above-mentioned one. However, this zero-day CVE-2019-0797 affected all Windows systems including Windows 10. Microsoft also confirmed active exploits of the flaw in their advisory. However, they haven’t revealed any details about it.
More About Microsoft March Patch Tuesday Updates
In addition to the above two, Microsoft March Patch Tuesday updates also brought fixes for four publicly known vulnerabilities. Microsoft reported no active exploits for them though. These include an active directory elevation of privilege vulnerability (CVE-2019-0683), a remote code execution vulnerability in Visual Studio (CVE-2019-0809), a tampering vulnerability in NuGet Package Manager (CVE-2019-0757) and a Windows denial of service (CVE-2019-0754).
In all, Microsoft’s March updates address 17 critical vulnerabilities, 45 important flaws, 1 moderate severity, and 1 low-severity flaw. The Microsoft products receiving patches include Microsoft Edge, Internet Explorer, Adobe Flash Player, Microsoft Office, Microsoft Office SharePoint, Skype, Team Foundation Server, Microsoft Windows, NuGet, Visual Studio, and ChakraCore.
In February as well, Microsoft patched quite a few of security vulnerabilities including 20 critical and 54 important flaws.
Let us know your thoughts in the comments section.