After a busy sequence of updates in October, November, and December, the new year’s first Patch Tuesday promises a lighter workload.
All told, there are 49 patches with CVEs, two advisories affecting Adobe and the Windows 10 servicing stack updates (see below), with a modest seven rated ‘critical’.
In a welcome change from recent months, there are no zero-day flaws although one, a Remote Code Execution (RCE) flaw in the Jet database engine (CVE-2019-0579), has been publicly disclosed thus earning it an ‘important’ rating.
Interestingly, Jet is responsible for 11 CVEs, winning it the award for being this month’s most patched component, ahead of the OS kernel, SharePoint, and Office on four each.
The seven critical-rated vulnerabilities are all RCEs, including CVE-2019-0547 in the Windows DHCP Client for all versions of Windows 10 1803, which given the delay to 1809 (October 2018 update), many will still be running.
CVE-2019-0550 and CVE-2019-0551 are RCEs affecting Windows Hyper-V, while CVE-2019-0565 is a memory corruption flaw in the Edge browser.
Rounding these out are three memory corruption flaws in the Chakra Scripting Engine, CVE-2019-0539, CVE-2019-0568, and CVE-2019-0567.
An interesting lower-priority flaw is CVE-2019-0622, an elevation of privilege (EoP) bug affecting the Android Skype app that reports last week said could allow someone with physical access to bypass Android’s screen lock, giving access to photos and contacts.
As an aside for anyone still running Windows 10 1703 (April 2017’s Creators Update), Microsoft recommends that users first apply servicing stack updates (SSU), the part of Windows responsible for updating.
Exchange
If there’s a curiosity this month it might be CVE-2019-0586, which Microsoft rates as important rather than critical despite the slightly alarming fact that the company’s assessment goes on to state:
Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
At least one expert has pointed out that because Exchange is a messaging server this might not be much of a barrier assuming the attackers know how to craft the right exploit.
If you use Exchange, definitely put this high on your test and deploy list.
Adobe
Adobe updates in Patch Tuesday correspond to last week’s APSB19-01 (a non-security update for Flash) and APSB19-02 (Acrobat/Reader) which addressed CVE-2018-16011 and CVE-2018-16018, both critical flaws.
A welcome surprise is that there are no new Flash vulnerabilities this month. At the rate Adobe has been issuing urgent fixes in recent months the shrinking population of people using the software were surely due a break.