MICROSOFT HAS PATCHED two actively-exploited Windows zero-day in its March 2019 Patch Tuesday big-fix bundle.
The biggest patch is for the Windows 7 security flaw highlighted in a public warning by Google last week. Used in conjunction with a separate flaw in the Chrome web browser to potentially hijack systems, Google warned that it had observed exploits in the wild combining the two flaws. It urged users to simply dump Windows 7 for Windows 10, fearing that Microsoft would be unable to fully or properly patch the flaw.
It remains to be seen whether this week's Patch Tuesday fix from Microsoft removes the risk entirely, or merely provides a form of mitigation. The patches for this flaw also cover Windows Server 2008 systems, which were also affected.
The second zero-day security flaw patched by Microsoft was uncovered by researchers at security firm Kaspersky. The elevation of privilege vulnerability they found is caused by Windows failing to properly handle 'objects' in memory, enabling attackers to run arbitrary code with administrative rights.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft warns.
Other security flaws fixed by Microsoft include three Windows DHCP client remote code execution vulnerabilities with CVSS scores of 9.8. "This is the third straight month that Microsoft patched high severity bugs in either Windows DHCP Client or Windows DHCP Server, signalling increased attention on finding DHCP bugs," according to Satnam Narang, a senior research engineer at Tenable.
Those DHCP security flaws require no interaction by the end-user - just a "specially crafted response to a client - and every operating system has a DHCP client", wrote Trend Micro's Dustin Childs for the Zero Day Initiative.
ZDI also produced a complete table of all the various fixes issued by Microsoft this week, together with their severity. Spoiler: all except two are classified as either 'important' or 'critical'. µ
It's on the naughty Liszt
Three models will debut in September
That's the irony klaxon going off again
This is sucky-sucky for five dollar