January 2019 Patch Tuesday: 49 security patches, 7 critical

Microsoft’s first Patch Tuesday of 2019 includes 49 security patches, seven of which are listed as Critical. Of all the plugged security holes, none are reported as being actively exploited in the wild.

Updates have been made available for a variety of Microsoft products, including Windows, Office, its two browsers, the .NET Framework and Exchange Server.

January 2019 Patch Tuesday

Patches to priorize

The most noteworthy and critical patch among those offered is the one for CVE-2019-0547, a remote code execution flaw in the Windows DHCP client.

“A bug in the DHCP client could allow attackers to execute their code on affected systems. Code execution through a widely available listening service means this is a wormable bug. Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable,” Trend Micro Zero Day Initiative’s Dustin Childs noted, and advised administrators to put it in their “patch now” category.

The bug is present only in Windows 10 and Server version 1803, i.e., the latest versions of the OS, so it’s likely that the affected component has been rewritten for those systems (and the bug introduced).

Childs also pointed out CVE-2019-0586, a Microsoft Exchange memory corruption vulnerability, as critical (although Microsoft does not consider it to be so).

“[The patch] corrects a bug in Exchange that could allow an attacker to take control of an Exchange server just by sending it a specially crafted email. That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do,” he pointed out. “If you use Exchange, definitely put this high on your test and deploy list.”

Other vulnerabilities of note include CVE-2019-0550 and CVE-2019-0551, two critical vulnerabilities in Hyper-V that could potentially lead to a VM escape, and ten remote code execution vulnerabilities affecting the Windows Jet Database Engine that could be exploited by an attacker by enticing a victim to open a specially crafted file. One of these has been publicly disclosed.

Jimmy Graham, Senior Director of Product Management at Qualys, advises to prioritize browser and Chakra Scripting Engine patches for workstation-type devices.