With their regularly scheduled Patch Tuesday updates, both companies issued fixes for scores of vulnerabilities in their widely used software.
Software makers Microsoft and Adobe both released large updates for their regularly scheduled Patch Tuesday releases today, with each company closing more than 70 security holes in their products.
Among the issues patched by Microsoft are a privilege escalation vulnerability in Microsoft’s Exchange server. The vuln allowed a security researcher to combine two other issues, creating an exploit that allows any mail user to become any other user or take control of the domain. The exploit for the flaw is already considered to be in the wild.
“This bug allows a regular user to escalate privileges to any other user on an Exchange server,” said Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative. “They could take over an account to send mail as a part of a phishing campaign, or they could just escalate and take over the server. Taking over an Exchange server would be the more likely scenario.”
The nearly 150 security issues fixed by the two companies could hint at another banner year for vulnerability research. In 2018, more than 16,500 vulnerabilities were disclosed, up 13 percent from the previous year, according to the National Vulnerability Database.
The number of security issues that each company patched is large, but not unprecedented, according to Trend Micro’s Childs, who noted that the last few Adobe Reader patches have had a similar number of issues.
“December and January are historically ‘light’ patch months for Microsoft, so the volume of patches this month isn’t that surprising,” he said.
Microsoft patched 47 issues in January and 39 issues in December.
One of the major issues identified by experts is a flaw in Microsoft’s DHCP server, which dynamically assigns network addresses to devices when they join …
Author: Robert Lemos