January 2019 Patch Tuesday has seen 51 flaws corrected in Microsoft products. There are four updates to correct flaws in the Microsoft Edge Browser. Seven of the 51 updates have been marked as critical.
January 2019 Patch Tuesday Critical Vulnerabilities in Microsoft Products
The 51 updates are broken down as: Microsoft JET Database Engine (11), Microsoft Windows (6), Microsoft Office (4), Microsoft Office SharePoint (4), Windows Kernel (4), Microsoft Scripting Engine (3), ASP.NET (2), Microsoft Edge (2), Microsoft Exchange Server (2), Visual Studio (2), Windows Hyper-V (2), .NET Framework (1), Adobe Flash Player (1), Android App (1), Internet Explorer (1), Microsoft XML (1), Servicing Stack Updates (1), Windows COM (1), Windows DHCP Client (1), and Windows Subsystem for Linux (1).
The vulnerabilities marked as critical are:
CVE-2019-0547 – Windows DHCP Client
The highest rated vulnerability in this month’s round of updates is a remote code execution vulnerability in the Windows DHCP Client which would allow an attacker to execute arbitrary code on a vulnerable device by sending a specially crafted DHCP response to a target. The flaw has a CVSS v3 base score of 9.8 out of 10 and affects Windows 10 (v1803) and Windows Server (v1803).
CVE-2019-0539, CVE-2019-0567, CVE-2019-0568 – Chakra Scripting Engine
Three critical remote code execution vulnerabilities have been corrected in the Chakra Scripting Engine of Microsoft Edge. All three are memory corruption vulnerabilities that could be exploited via a specially crafted webpage or advertisement.
CVE-2019-0565 – Microsoft Edge
A further flaw affecting Microsoft Edge could lead to remote code execution on a vulnerable device if the user is convinced to visit a malicious website. This is also a memory corruption vulnerability that would allow arbitrary code to be executed in the context of the current user. If the flaw is exploited when a user with administrative rights is logged on, the attacker could take full control of the user’s device.
CVE-2019-0550, CVE-2019-0551 – Windows Hyper-V
Two critical vulnerabilities in Windows Hyper-V have been patched. The updates correct flaws in how a host server validates input from an authenticated user on a guest operating system. Both could lead to remote code execution and could be exploited by running a specially crafted application on a vulnerable guest operating system.
While only marked as important, the Jet Database Engine vulnerability (CVE-2019-0579) has been publicly disclosed, although it is not believed to be actively exploited in the wild at this stage.
Adobe January 2019 Patch Tuesday Updates
Adobe has released January 2019 Patch Tuesday updates, but surprisingly, no security vulnerabilities have been addressed in Adobe Flash Player. One update for Flash Player has been issued (APB19-01) although this only corrects performance issues and updates Flash Player to version 18.104.22.168.
One security update has been released for Adobe Digital editions which addresses the out of bounds read vulnerability (CVE-2018-12817) which could lead to information disclosure. The vulnerability has been rated as important. Users should upgrade to Adobe Digital editions v. 4.5.1 to correct the flaw.
An update has also been released for Adobe Connect to correct a session token exposure vulnerability (CVE-2018-19718) which is also marked as important. Users should upgrade to Adobe Connect 10.1 to correct the flaw.