Microsoft has issued patches for 51 vulnerabilities this January 2019 Patch Tuesday. Of the vulnerabilities, 7 were rated critical. Unlike the four preceding months, none vulnerabilities were identified as being actively exploited in the wild. There were 17 flaws which were marked as “remote code execution” issues, meaning that a hacker could use them to execute malware on Microsoft products without needing access to the system beforehand.
The 51 updates are broken down as: Microsoft JET Database Engine (11), Microsoft Windows (6), Microsoft Office (4), Microsoft Office SharePoint (4), Windows Kernel (4), Microsoft Scripting Engine (3), ASP.NET (2), Microsoft Edge (2), Microsoft Exchange Server (2), Visual Studio (2), Windows Hyper-V (2), .NET Framework (1), Adobe Flash Player (1), Android App (1), Internet Explorer (1), Microsoft XML (1), Servicing Stack Updates (1), Windows COM (1), Windows DHCP Client (1), and Windows Subsystem for Linux (1).
Seven vulnerabilities were marked as critical. Three affect the ChakraCore scripting engine included in Edge, two affect Microsoft’s Hyper-V server virtualisation environment, one impacts Edge directly, and one affects the ubiquitous Windows DHCP client.
The critical vulnerabilities are:
CVE-2019-0547 – Windows DHCP Client
The highest rated vulnerability in this month’s round of updates is a remote code execution vulnerability in the Windows DHCP Client which would allow an attacker to execute arbitrary code on a vulnerable device by sending a specially crafted DHCP response to a target. The flaw has a CVSS v3 base score of 9.8 out of 10 and affects Windows 10 (v1803) and Windows Server (v1803).
CVE-2019-0539, CVE-2019-0567, CVE-2019-0568 – Chakra Scripting Engine
Three critical remote code execution vulnerabilities have been corrected in the Chakra Scripting Engine of Microsoft Edge. All three are memory corruption vulnerabilities that could be exploited via a specially crafted webpage or advertisement.
CVE-2019-0565 – Microsoft Edge
A further flaw affecting Microsoft Edge could lead to remote code execution on a vulnerable device if the user is convinced to visit a malicious website. This is also a memory corruption vulnerability that would allow arbitrary code to be executed in the context of the current user. If the flaw is exploited when a user with administrative rights is logged on, the attacker could take full control of the user’s device.
CVE-2019-0550, CVE-2019-0551 – Windows Hyper-V
Two critical vulnerabilities in Windows Hyper-V have been patched. The updates correct flaws in how a host server validates input from an authenticated user on a guest operating system. Both could lead to remote code execution and could be exploited by running a specially crafted application on a vulnerable guest operating system.
While only marked as important, the Jet Database Engine vulnerability (CVE-2019-0579) has been publicly disclosed, although it is not believed to be actively exploited in the wild at this stage.
Adobe January 2019 Patch Tuesday Updates
Adobe has released January 2019 Patch Tuesday updates. No security vulnerabilities have been addressed in Adobe Flash Player. One update for Flash Player has been issued (APB19-01) although this only corrects performance issues and updates Flash Player to version 32.0.0.114.
One security update has been released for Adobe Digital editions which addresses the out of bounds read vulnerability (CVE-2018-12817) which could lead to information disclosure. The vulnerability has been rated as important. Users should upgrade to Adobe Digital editions v. 4.5.1 to correct the flaw.
An update has also been released for Adobe Connect to correct a session token exposure vulnerability (CVE-2018-19718) which is also marked as important. Users should upgrade to Adobe Connect 10.1 to correct the flaw.