Seven critical updates in Microsoft’s new year Patch Tuesday

Microsoft dropped seven critical updates yesterday as part of its first Patch Tuesday update batch of 2019.

The critical list includes a fix for a remote code execution (RCE) vulnerability in Microsoft’s Edge browser (CVE-2019-0567). Microsoft Internet Explorer also has a flaw that creates an RCE risk (CVE-2019-0541).

CVE-2019-0550, an RCE flaw in Windows Hyper-V, circumvents controls and creates a means for a guest operating system to execute arbitrary code on the host system.

Also on the critical list is CVE-2019-0547, a fix for an RCE flaw in the Windows DHCP (Dynamic Host Control Protocol) client that comes with some versions of Windows 10 and Windows Server.

If left unresolved, the vulnerability creates a means for attackers to push arbitrary (potentially malicious) code through maliciously crafted DHCP response to a vulnerable system.

DHCP is a network management protocol that used to dynamically configure systems when they connect to a router.

Security firms including Rapid7 and Trend Micro rate the DHCP flaw as the most dangerous bug resolved by the January patch batch.

“None of today’s vulns [vulnerabilities] are known to be actively exploited, although CVE-2019-0579 (RCE in the Jet Database Engine) had been publicly disclosed before getting patched,” said Greg Wiseman, a senior security researcher at Rapid7.

“In fact, a total of 11 CVEs related to the Jet Database Engine were published today, all potentially leading to RCE.”

On the server front, the updates include fixes for four vulnerabilities for SharePoint and two for Exchange Server. Redmond’s updates cumulatively grapple with 49 separate vulnerabilities. Microsoft's January 2019 security release notes can be found here.

Two vulnerabilities disclosed by the security researcher SandboxEscaper in late December remain unresolved by the latest updates. These two flaws involve a privilege escalation bug that allows any file to be read with system level access, and another separate bug that allows files to be overwritten with arbitrary data.

Although Adobe published a “security bulletin” for Flash on Tuesday, the new version of the Swiss Cheese software does not actually contain any security fixes.

Adobe’s security staff have been otherwise occupied in developing fixes for two critical vulnerabilities in Acrobat and Reader, both of which it released last Thursday, as previously reported by The Daily Swig.