An Internet Explorer zero-day vulnerability that kindled some excitement and sparked a Microsoft out-of-band patch during the year-end holidays overshadowed a light January Patch Tuesday.
To exploit the Internet Explorer zero-day bug (CVE-2018-8653), an attacker required a victim to view a specially crafted website that executes arbitrary code. Without Microsoft's patch, the attacker would then gain the same rights as that user. With enough elevated privileges, the attacker could take over the affected system to view, change or delete information and create accounts with full user rights. The IE exploit, rated critical for Windows client systems and moderate for Windows Server systems, changes how the scripting engine handles objects in memory. Google's Threat Analysis Group researcher Clement Lecigne discovered the vulnerability.
"If people haven't acted on that yet, that is more important than anything that we're seeing so far this month. Make sure all your OS updates are deployed," said Chris Goettl, director of product management for security at Ivanti, based in South Jordan, Utah.
Prioritize one public disclosure over critical patches
Out of the 47 unique common vulnerabilities and exposures in January Patch Tuesday, only seven are rated as critical, and they affect Windows 10, Windows Server 2019 and the Edge browser.
Windows admins should focus on deploying one particular patch before the other critical updates, Goettl said. It's a JET Database Engine remote code execution vulnerability (CVE-2019-0579) rated important that affects all supported Windows systems. To trigger the exploit, an attacker only needs a user to open a malicious file.
"Statistically speaking, this is probably more concerning than the critical updates affecting Windows 10 and the Edge browser," Goettl said. "Then people should be most concerned about the Windows 10 updates and Windows updates in general."
Chris Goettldirector of product management for security, Ivanti
That Microsoft Edge vulnerability (CVE-2019-0565), rated as critical for Windows 10 systems and moderate for Windows Server 2019, was highly exploitable by attackers who could execute arbitrary code as the current user if they visited a specially crafted website through the Edge browser. Organizations that follow the principle of least privilege would reduce the risk.
"It's probably not as likely to be exploited because the Edge browser has such low usage, and attackers would be more interested in exploiting something through Chrome or Internet Explorer," Goettl said.
The NetMarketShare site indicates just 4% of users on desktops or laptops run the Edge browser while Chrome users make up about 67%.
New engine for Microsoft Edge
In December, Microsoft said it plans to rebuild Edge with code from the open source Chromium project, the same code used in Google Chrome and other browsers such as Opera and Vivaldi. The changeover would tap the Chromium community for contributions to browser development, and decrease Microsoft's burden to keep up with fixes to bugs and vulnerabilities. Chrome addressed 158 vulnerabilities whereas Edge fixed 156 in 2018. With the new Chromium-based Edge, the number of vulnerabilities for enterprises to address would not change.
"In the long run, it's going to be a better move for all of us," Goettl said. "It will be [Microsoft's] eyes on Chrome, as well as Google and any third parties."
Microsoft plans to release the first preview build with the Chromium engine in Edge sometime in early 2019. Microsoft will release patches for this browser on a different cadence, Goettl said, so administrators should expect to deploy patches for the Chromium Edge on a weekly basis.