JANUARY 2019  – Microsoft Patch Tuesday  

The holidays are behind us and here we are, already well into a brand new year. They seem to come and go faster and faster, the older I get. One constant, though (at least for the past sixteen years) is that when the second Tuesday of the month rolls around, Microsoft gifts us with a batch of freshly baked patches.

 

The beginning of a new year always inspires us to look both back and ahead. 2018 was another big year in terms of high-profile security issues and breaches. Facebook’s multiple breaches compromised the personal information of millions of social media users. Customers of Marriott hotels weren’t pleased to learn of their huge data breach that affected hundreds of millions of people. Other big companies in the news as victims of attacks included Ticketmaster, British Airways, Orbitz, T-Mobile, Google, and many more.


There are many measures an organization can take to help prevent being the next to have to deal with the ramifications of a major breach (which include bad PR, down time, loss of customers, and possible regulatory actions such as fines). Keeping all systems updated is high on that list. Many attackers are able to compromise a server by exploiting vulnerabilities for which fixes are already available, but many systems go unprotected due to delays in applying the patches.

 

There are plenty of reasons for that: work overloads and short staffing, fear of adverse effects of patches on production systems, and so forth. But even if you’ve been laxing in getting computers patched in the past, 2019 brings the opportunity to start over, and make timely security updating one of your network admin new year’s resolutions.


January’s updates include fixes for all currently supported Microsoft client and server operating systems and both Microsoft web browsers, but the good news is that fewer of these are rated critical than is often the case. As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

Now let’s take a closer look at this month’s patches.

Security Advisories

The following security advisories were released on Patch Tuesday this month:

  • ADV190001: Adobe Flash Update. This is the usual advisory for an update for Adobe Flash on Windows as described in Adobe’s own Security Bulletin APSB190-01. The patch is a priority 3 update that applies to Windows, IE, and Edge. It is not technically a security update since it fixes performance and feature bugs and doesn’t include security fixes, but is included with the Patch Tuesday security updates.  

Operating system, OS components, and web browser updates

Windows 10 has the largest number of vulnerabilities patched this month of the client operating systems.

Windows 10

Depending on the version, twenty-three to twenty-six vulnerabilities are fixed in this round of updates. Only three of the vulnerabilities are critical, across all the versions of Windows 10. The rest are classified as important.

The following security updates apply to Windows 10:

 

 

 

 

These updates include security fixes for Internet Explorer, Windows App Platform and Frameworks, the Microsoft Scripting Engine, Windows Kernel, Windows Hyper-V, Windows MSXML, the Microsoft JET Database Engine, Windows Storage and File Systems, Wireless Networking component, Windows virtualization, Windows Authentication, and more.

You can find details about each of the patches in the corresponding KB articles linked to each OS version above.

Older client operating systems

There is good news for those who are still running one of the older operating systems. There are no critical vulnerabilities addressed in this batch of fixes. Eighteen important vulnerabilities are patched in Windows 8.1 and fifteen in Windows 7.

The following security updates apply to previous Windows operating systems:

These updates include protections against an additional subclass of speculative execution side-channel vulnerability known as Speculative Store Bypass (CVE-2018-3639) for AMD-based computers. These protections aren’t enabled by default.

They also address a security vulnerability in session isolation that affects PowerShell remote endpoints. By default, PowerShell remoting only works with administrator accounts, but can be configured to work with non-administrator accounts. Starting with this release, you cannot configure PowerShell remote endpoints to work with non-administrator accounts.

In addition, there are security updates to Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.

You can find details about each of the patches in the corresponding KB articles linked to each OS version above.

Windows Server operating systems

The four currently supported versions of Windows Server each have from fifteen to twenty-five vulnerabilities patched this month, depending on the OS version. There are no critical vulnerabilities addressed in Windows Server 2008 R2 and 2012 R2. Fifteen and eighteen important vulnerabilities, respectively, are addressed.

The two newer versions, Windows Server 2016 and 2019, have one and two critical vulnerabilities patched, respectively, and twenty-three and twenty-five important issues addressed.

The following security updates apply to Windows Server:

  • Windows Server 2012 R2 – KB4480963 (Monthly Rollup) and KB4480964 (Security-only)
  • Server 2008 R2 SP1 – KB4480970 (Monthly Rollup) and KB4480960 (Security-only)
  • Windows Server 2016 – KB4483229 (Security update for Internet Explorer)
  • Windows Server 2019 – KB4483235 (Security update for Internet Explorer)

Microsoft web browsers

This month’s updates address two vulnerabilities (one of which is critical) in Internet Explorer 11 and five vulnerabilities (four of which are critical) in Microsoft Edge.

The following security updates apply to Microsoft’s web browsers:

  • Security update for Internet Explorer KB4483235
  • Security update for Internet Explorer KB4483234
  • Security update for Internet Explorer KB4483232
  • Security update for Internet Explorer KB4483230
  • Security update for Internet Explorer KB4483229
  • Cumulative Security Update for Internet Explorer KB4480965

Other software/services

Security updates were also released on January 8 for Microsoft Office and Office Services and Web Apps, ChakraCore, the .NET Framework, Exchange Server, and Visual Studio.

Critical vulnerabilities

The following are some of the critical vulnerabilities addressed by this month’s updates:

CVE-2019-0551 | Windows Hyper-V Remote Code Execution Vulnerability – A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

CVE-2019-0547 | Windows DHCP Client Remote Code Execution Vulnerability – A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.

CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability – A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2019-0539 | Chakra Scripting Engine Memory Corruption Vulnerability – A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.

CVE-2019-0565 | Microsoft Edge Memory Corruption Vulnerability – A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system.