The security update for this month contains seven patches classified as critical and one publicly known vulnerability.
Microsoft’s first Patch Tuesday 2019 update primarily addresses vulnerabilities in remote code execution (RCE), with nearly half of the total fixes focusing on RCE. Companies are also encouraged to apply an Internet Explorer out – of-band patch in December following active attacks in the wild.
Seven of the common exposures and vulnerabilities (CVEs) are classified as critical in severity, 40 are important and two are moderate. The patches and advisories issued today cover Internet Explorer, Microsoft Edge, Windows, Office, Web Apps and Office Services, ChakraCore, Visual Studio and the. NET Framework.
As Dustin Children of the Zero Day Institute of Trend Micro pointed out in a blog post, RCE defects make up half of the CVEs addressed in January 2019. Of these, eleven include the Jet Database Engine. One (CVE-2019-0579) is known to be important in severity and could allow an attacker to execute arbitrary code on a victim system, reports Microsoft. This requires user interaction; a target for execution should open a specially crafted file.
While the disclosure of this vulnerability is only considered important, sufficient information has been made available to the public that an attacker could easily develop exploits for the flaw, says Chris Goettl, Director of Product Management for Security at Ivanti. CVE-2019-0547, an RCE vulnerability in the Windows DHCP client, is also highly prioritized.
A vulnerability to memory corruption exists in the client when an attacker sends specifically crafted DHCP responses to a client, reports Microsoft. Successful use would allow an opponent to execute arbitrary code on the client’s machine.
“Execution of the code by means of a widely available listening service means that this is a wormable bug,” Childs said. ” Microsoft also gives this its highest rating for the Exploit Index, which means that the bug is highly exploitable. “He noted that this flaw is interesting in the latest version of Windows, but not in previous versions, probably because the component has been rewritten for newer systems.
“If you run Windows 10 or Server version 1803, this patch must be at the top of your list of deployments, “wrote Childs. Another Office bug (CVE-2019-0560) found by Mimecast could allow unintentional data leakage in Office documents and files previously created. While it is difficult to use it as code execution vulnerability, it could be used to unintentionally expose data users.
While this vulnerability can certainly be exploited to carry out a remote execution attack, this would require relatively high technical expertise on behalf of the attacker, “says Matthew Gardiner, Mimecast security strategist.”
The potential for previously created Office files to have sensitive content in them without the knowledge of the organization or user who created them is more worrying in the immediate timeframe, ” he explains. Much of the discussion this month is about CVE-2018-8653, an out – of-band patch issued in December 2018 by Microsoft for Internet Explorer memory corruption vulnerability.
The flaw could corrupt memory so that someone could execute arbitrary code within the current user’s context, says Microsoft, and an attacker could gain the same user rights. ” This vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate proof of concept code into their platforms, ” says Allan Liska, architect of Recorded Future’s senior solutions. ” If this vulnerability has not yet been patched, this should be the No. 1 priority.”