TL;DR: Update it all. Yes, everything
February’s Patch Tuesday is a relatively big edition, as Microsoft rolls out fixes for 74 separate vulnerabilities.
CVE-2019-0676 – an information disclosure bug in Internet Explorer that could allow an attacker to probe for the presence of files on disk – has already been exploited in the wild.
Attacks based on the vulnerability would involve first tricking users into visiting a malicious website. Internet Explorer 10 on Windows Server 2012 and Internet Explorer 11 on Windows 7, 8.1 and 10 and Windows Server 2008, 2012, 2016 and 2019 all need hardening up to defend against the flaw.
Another primary candidate for early triage is a remote code execution (RCE) vulnerability in Windows DHCP Server (CVE-2019-0626) that could allow an attacker to inject malicious code onto an affected Dynamic Host Configuration Protocol server.
The CVSS score for this vulnerability is 9.8 out of a possible maximum of 10.
Other entries on the critical list – CVE-2019-0662 and CVE-2019-0618 – also create an RCE risk. The critical flaw in Windows Graphic Device Interface set up a potential mechanism for a hacker to break into a vulnerable system via either web-based or file-sharing attacks.
“CVE-2019-0630 and CVE-2019-0633 (RCEs in Windows SMBv2 server) are worth watching out for,” warned Greg Wiseman, senior security researcher for Rapid7, the firm behind the Metasploit penetration testing tool.
“While you can take comfort in the knowing that an attacker would need to be authenticated to exploit them, they could easily run arbitrary code on a vulnerable system.”
CVE-2019-0686, a privilege elevation vulnerability in Exchange Server, is now covered by a proper patch instead of just the mitigation advice Microsoft offered when it first disclosed the problem last week.
Another mitigated flaw, CVE-2019-0636, is an information disclosure vulnerability in Windows that could allow a logged-in user to access other users’ files without authorization.
The SANS Institute Internet Storm Centre has put together a graphical table detailing these, and other patches released by Microsoft on February 12.
The releases also include cumulative updates for Adobe Flash Player, a product bundled with Internet Explorer.