Microsoft fixes two zero-day vulnerabilities in Windows

Microsoft has released security updates for March. It concerns a total of 64 vulnerabilities that have been fixed, 15 of which have been labeled as critical. Among other things, the zero-day leaks in Windows 7 have been closed.

The collection of security updates from March includes repairs of Windows, Office, Internet Explorer and the Edge browser, Microsoft reports in the release notes. One of the major fixes addresses vulnerability CVE-2019-0808 in Windows 7, Windows Server 2008, and Windows Server 2008 R2. That vulnerability concerns Win32k, and allows elevating privileges and running code in kernel mode. This is the zero-day vulnerability that is being actively exploited in combination with a Chrome leak and that Google warned about last week.

In addition, the zero-day vulnerability with sequence number CVE-2019-0797 has been fixed. This was found by Kaspersky and also concerns Win32k. The vulnerability was actively exploited and attacks targeted 64-bit versions of Windows 8 through Windows 10 with build version 15063. Kaspersky writes that the exploit found looked at whether it was running from Google Chrome and took no action if it did, because the vulnerability cannot be exploited from a sandbox.

Furthermore, updates KB4490628 and KB4474419 have been released that add sha-2 support to Windows 7 SP1 and Windows Server 2008 R2 SP1. That support will be required for the operating systems from July 16, otherwise they will no longer receive updates. Microsoft wants to completely get rid of signing Windows updates with the now considered unsafe sha-1.