Patch Tuesday, January 2019 Edition
Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few spicy bits to keep in mind. Read on for the gory details.
The updates released Tuesday affect Windows, Internet Explorer and Edge, Office, Sharepoint, .NET Framework and Exchange. Patches are available for all client and server versions of Windows, but none of the “critical” flaws — those that can lead to a remote system compromise without any help from users — apply to Windows 7 or Windows 8.1, according to Martin Brinkmann at Ghacks.net.
Mercifully, none of the vulnerabilities fixed in Tuesday’s bundle are being actively exploited, although one (CVE-2019-0579) was publicly disclosed prior to the patch release, meaning attackers may have had a head start figuring out how to exploit it. This bug is one of 11 that Microsoft fixed in its Jet Database Engine.
Among the more eyebrow-raising flaws fixed this week is CVE-2019-0547, a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). According to security vendor Tenable, this is the most severe bug of the entire patch batch.
“In order to exploit the vulnerability, an attacker would need to be able to send a specially crafted DHCP response to its target, allowing them to run arbitrary code on the client machine,” said Satnam Narang, senior research engineer at Tenable.
Tuesday’s update bundle also includes a fix that Microsoft released late last month as an emergency patch to plug a zero-day flaw in Internet Explorer (CVE-2018-8653) that attackers are already exploiting. Experts at Recorded Future say that vulnerability continues to be exploited in the wild, with several exploit kits now including the publicly released proof-of-concept code into their platforms.
“If you have not patched this vulnerability yet, it should be the number one priority,” writes Allan Liska, senior solutions architect at Recorded Future.
It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.
Case in point: Computerworld’s Woody Leonhard notes that multiple organizations are reporting problems with their file-sharing operations after installing this month’s patch rollup.
Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.
Adobe released an update for its Flash Player plugin, but alas there don’t appear to be any security fixes in it. However, the company last Thursday did release new versions of its Adobe Acrobat and Reader that correct at least two critical vulnerabilities in each.
If you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.
This post first appeared on Krebs on Security