Patch Tuesday January 2019
Three critical remote code execution vulnerabilities are patched this month, the most alarming of which is a memory corruption flaw in the Windows DHCP client. If an attacker sends specially crafted DHCP responses, it is possible to run arbitrary code. This vulnerability has already been patched in Windows 10 version 1809, which is the latest feature update.
The other two remote code execution vulnerabilities are when Hyper-V hosts fail to validate input from authenticated users in guest operating systems, allowing attackers to run specially crafted applications in the guest that might cause the Hyper-V host OS to execute arbitrary code. This vulnerability is harder to exploit than the DHCP client issue. None of these vulnerabilities are currently being exploited but as always it is best to patch your systems as soon as possible.
There are 24 important patches for Windows 10 version 1803, including 8 elevation of privilege, 5 information disclosure, and 11 remote code execution flaws. There’s one important vulnerability for Internet Explorer 11, a remote code execution vulnerability where the MSHTML engine improperly validates input and it could allow an attacker to run arbitrary code in the context of the current user. A patch for CVE-2018-8653, which was released late last month to plug a zero-day in IE, is also included in January’s Patch Tuesday rollups and it should be applied as soon as possible if you haven’t done it already.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Microsoft Edge gets 4 critical remote code execution updates. 3 are memory corruption vulnerabilities in the Chakra scripting engine and the fourth is a memory corruption flaw that could allow an attacker who successfully exploited the vulnerability to get the same user rights as the logged in user. There are also 4 information disclosure vulnerabilities patched for the .NET Framework.
While not related to Patch Tuesday, Windows 10 version 1809 got a new cumulative update on January 22nd but it doesn’t include any security fixes.
Windows 7 gets patches for 11 important remote code execution vulnerabilities for the Windows Jet Database Engine. Both the security and monthly rollups are reportedly causing problems with clients connecting to SMBv2 network shares. Microsoft released an update for Windows 7 January 11th to address the issue. There are a couple of other known issues with the Windows 7 rollup that you might want to check out on Microsoft’s website here.
Windows Server 2016
There’s one critical remote code execution flaw this month, the same as the Hyper-V problem I described above for Windows 10. The remaining important flaws are the same as those for Windows 10.
Windows Server 2008 R2
There are 16 important updates for Windows Server 2008 R2. One is an elevation of privilege flaw when Windows improperly handles authentication requests. 4 are information disclosure issues and there are 11 remote code execution vulnerabilities for the Windows Jet Database Engine.
There are two important patches for Exchange Server 2016 CU 10 and 11, one of which is a remote code execution flaw.
Microsoft Office 2016 gets two patches rated important. One fixes a problem where Office improperly discloses the contents of its memory, potentially allowing an attacker to use the information to compromise the user’s computer or data. The second is a remote code execution vulnerability in how the MSHTML engine validates input.
Adobe Flash Player and Acrobat Reader
Adobe updates Flash Player this month but there are no security vulnerabilities patched. Acrobat Reader does however get patches for two critical security flaws.
And that is it for this month!