Microsoft Released Security Updates & Fixed More than 70 Flaws Along with Active Zero-Day Browser Bug

Microsoft released new security updates for February under patch Tuesday with the fixes for more than 70 vulnerabilities that affected Microsoft products.

This is a second security update for this month and the first security advisory Microsoft releases on earlier of this month for the fixes of Privilege Escalation Vulnerability With Exchange Server.

Most of the vulnerabilities reported by various independent security researchers around the globe for the following Microsoft products.

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • .NET Framework
  • Microsoft Exchange Server
  • Microsoft Visual Studio
  • Azure IoT SDK
  • Microsoft Dynamics
  • Team Foundation Server
  • Visual Studio Code

Microsoft fixed an active Internet Explorer zero-day vulnerability (CVE-2019-0676) in the security updates and the bug allow attackers to send open a malicious website link to exploit the browser flaw.

Also in another bug critical bug in Microsoft’s Exchange Server  (CVE-2019-0686) allows a remote attacker with a simple mailbox account to gain administrator privileges.

A Remote code execution vulnerability (CVE-2019-0640) that affected Microsoft Edge browser scripting engine handles also fixed in this security updates.

Edge Flaw allows an attacker who successfully exploited the vulnerability could gain the same user rights as the current user and if the current user logged in as admin then it could lead an attack to gain admin level access and take full control of the affected system.

There are 18 vulnerabilities are marked as critical severity and the vulnerabilities categories under Remote Code Execution and script engine Memory Corruption.

Critical Vulnerabilities list

Scripting Engine Memory Corruption VulnerabilityCVE-2019-0655Critical
Microsoft Edge Memory Corruption VulnerabilityCVE-2019-0650Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0651Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0652Critical
Microsoft Edge Memory Corruption Vulnerability CVE-2019-0645Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0642Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0640Critical
Windows DHCP Server Remote Code Execution VulnerabilityCVE-2019-0626Critical
GDI+ Remote Code Execution VulnerabilityCVE-2019-0618Critical
Microsoft SharePoint RCE Vulnerability CVE-2019-0604Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0605Critical
Internet Explorer Memory Corruption VulnerabilityCVE-2019-0606Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0607Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0590Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0591Critical
Scripting Engine Memory Corruption VulnerabilityCVE-2019-0593Critical
Microsoft SharePoint RCE VulnerabilityCVE-2019-0594Critical

Another fix Microsoft released for Critical DHCP vulnerability (CVE-2019-0626) this month that could allow an attacker to send a specially crafted packet to a DHCP server

Also, Microsoft fixed all the office vulnerabilities that include 19 security updates and 28 non-security updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago