Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity.
February security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.
Four of the security vulnerabilities patched by the tech giant this month have been reported as being publicly known at the time of release, and one is being actively exploited in the wild.
The vulnerability actively being exploited in the wild is rated as important and resides in the way Internet Explorer handles objects in the memory.
An attacker can trick victims into landing on a specially crafted website and exploit this vulnerability, identified as CVE-2019-0676, to check for files on a target system, leading to information disclosure.
Though Microsoft has not yet shared any details about the malicious campaign exploiting this flaw, the vulnerability likely restricted to targeted attacks.
One of the publicly disclosed flaws but not exploited in the wild, identified as CVE-2019-0636 and rated as important, concerns an information vulnerability in Windows operating system that could allow an attacker to read the contents of files on disk.
“An information vulnerability exists when Windows improperly discloses file information,” Microsoft says in its advisory. “To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application.”
As expected, almost each of the listed critical-rated vulnerabilities leads to remote code execution attacks and primarily impact various versions of Windows 10 and Server editions.
Though there is no public exploit, the critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and Windows DHCP Servers (CVE-2019-0626) are more troubling, as the successful exploitation of these flaws could allow attackers to run arbitrary code and take control of the server.
While some of the important-rated vulnerabilities also lead to remote code execution attacks, others allow elevation of privilege, information disclosure, security feature bypass, and spoofing vulnerabilities.
Users and system administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems.
For installing the latest security patch updates, head on to Settings → Update & Security → Windows Update → Check for updates, on your computer system or you can install the updates manually.
Adobe has also rolled out security updates to fix a total of 75 vulnerabilities in its various software, 71 of which resides in Adobe Acrobat and Reader alone. Users of the affected Adobe software for Windows and macOS systems are highly recommended to update their software packages to the latest versions as soon as possible.