Patch Tuesday, March 2019 Edition
Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.
One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.
Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.
If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart.
This is the third month in row Microsoft has released patches to fix high-severity, critical flaws in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).
These are severe “receive a bad packet of data and get owned” type vulnerabilities. But Allan Liska, senior solutions architect at security firm Recorded Future, says DHCP vulnerabilities are often difficult to take advantage of, and the access needed to do so generally means there are easier ways to deploy malware.
The bulk of the remaining critical bugs fixed this month reside in Internet Explorer, Edge and Office. All told, not the craziest Patch Tuesday. Even Adobe’s given us a month off (or at least a week) patching critical Flash Player bugs: The Flash player update shipped this week includes non-security updates.
Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.
Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.
As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.
This post first appeared on Krebs on Security