Two Windows zero-day flaws fixed in latest Microsoft Patch Tuesday

Users urged to update Windows ASAP to fix security flaws actively being exploited in the wild

Microsoft's March 2019 Patch Tuesday has included fixes for two Windows 32-bit zero-day flaws that are actively being exploited in the wild. They are among 64 fixes in the latest Patch Tuesday, with 17 rated ‘critical'.

The biggest patch is for the Windows 7 security flaw highlighted in a public warning by Google last week. Used in conjunction with a separate flaw in the Google Chrome web browser to potentially hijack systems, Google warned that it had observed exploits in the wild combining the two flaws. It urged users to simply dump Windows 7 for Windows 10, fearing that Microsoft would be unable to fully or properly patch the flaw.

It remains to be seen whether this week's Patch Tuesday fix from Microsoft removes the risk entirely, or merely provides a form of mitigation. The patches for this flaw also cover Windows Server 2008 systems, which were also affected.

The second zero-day security flaw patched by Microsoft was uncovered by researchers at anti-virus software firm Kaspersky. The elevation of privilege vulnerability they found is caused by Windows failing to properly handle ‘objects' in memory, enabling attackers to run arbitrary code with administrative rights. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft warns.

Other security flaws fixed by Microsoft include three Windows DHCP client remote code execution vulnerabilities with CVSS scores of 9.8. "This is the third straight month that Microsoft patched high severity bugs in either Windows DHCP Client or Windows DHCP Server, signaling increased attention on finding DHCP bugs," according to Satnam Narang, a senior research engineer at Tenable.

Those DHCP security flaws require no interaction by the end-user - just a "specially crafted response to a client - and every operating system has a DHCP client", wrote Trend Micro's Dustin Childs for the Zero Day Initiative.

ZDI also produced a complete table of all the various fixes issued by Microsoft this week, together with their severity. Spoiler: all except two are classified as either 'important' or 'critical'.

The AI and Machine Learning Awards are coming! In July this year, Computing will be recognising the best work in AI and machine learning across the UK. Do you have research or a project that you think deserves wider recognition? Enter the awards today - entry is free.