Patch Tuesday, February 2019 Edition
Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month’s patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer.
Some 20 of the flaws addressed in February’s update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a malicious or hacked Web site.
Microsoft patched a bug in Internet Exploder Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target’s hard drive.
Another critical vulnerability that impacts both end users and enterprises is a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). That flaw, CVE-2019-0626, could let an attacker execute malcode of his choice just by sending the target a specially crafted DHCP request.
At the top of the list of patch concerns mainly for companies is a publicly disclosed issue with Microsoft Exchange services (CVE-2019-0686) that could allow an attacker on the same network as the target to access the inbox of other users. Microsoft said it has not seen active exploitation of this bug yet, but considers it likely to be exploited soon.
Security experts are fond of saying “patch now!” when it comes to Windows bugs, but in general it can’t hurt for regular users to wait a day or two after Microsoft releases monthly security updates before installing the fixes. That’s because occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.
Just don’t put off the task too long. And bear in mind it’s a good idea to get in the habit of backing up your data before installing Windows updates, to hedge against the odd case in which a wonky patch ends up rendering your system unusable until you can work out how to reverse the changes.
Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
Microsoft also included fixes to address a single vulnerability in Adobe Flash Player. Microsoft and Adobe disagree on the severity of this flaw, according to security firm Qualys. Adobe labels it an “important” bug, while Microsoft tags it with a far more severe “critical” label. Regardless, Flash flaws are favorite targets of attackers. If you brows the Web with IE or Edge, this month’s patch batch from Microsoft has you covered.
Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.
Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.
Adobe also released updates for Adobe Acrobat and Reader that plug at least 70 security holes in these applications, so if you have either installed please be sure to update those.
As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.
This post first appeared on Krebs on Security