Microsoft's March round of security updates for its Windows operating system is patching no fewer than 17 flaws rated as critical, with two others known to be exploited in the wild by attackers.
The two exploited vulnerabilites affect the Windows win32k.sys kernel driver, and are very similar privilege escalation bugs.
They have been given the Common Vulnerabilities and Exposures indexes of CVE-2019-0797 and CVE-2019-0808; security vendor Kaspersky Labs discovered the former, and Google's Threat Analysis Group the latter, which was exploited in combination with a flaw in its Chrome web browser on Windows.
Critical but not known to be exploited bugs handled this Patch Wednesday are remote code execution vulnerabilities in the Chakra Javascript engine, Windows TFTP deployment server, and memory corruption in the Windows scripting engine.
Microsoft is again patching vulnerabilites in the dynamic host control protocol (DHCP) client for Windows, with three flaws allowing remote code execution.
A malicious DHCP server sending specially crafted responses to unpatched clients can exploit the three vulnerabilities to fully take over the target systems.
The DHCP flaws are rated as 9.8 out of 10 on the Common Vulnerabilities Scoring System.
