Microsoft Patch Tuesday January 2019 released its monthly set of security updates to address the vulnerabilities in its products today. There are 49 vulnerabilities with 7 rated critical for Remote Code Execution , 40 rated important and 2 rated moderate in severity. Moreover, these updates have addressed the issues in Adobe Flash Player, Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, ASP.NET, Microsoft Exchange Server and Microsoft Visual Studio. It is also worth noting that no zero-days were reported for the fresh start of 2019. But a deep look at the other critical updates would prove useful in keeping the gremlins on your machines at bay. A vulnerability management software is necessary here.
But that’s not all! Microsoft also pulled off its non-security updates for Office 2010 that were released earlier this month following multiple issues that were reported in Excel from its Japanese customers. Microsoft advises that these updates be uninstalled to prevent crashes and other such difficulties. A patch management tool can patch these vulnerabilities. Details follow.
Publicly Disclosed about Microsoft Patch Tuesday January 2019
CVE-2019-0579 was disclosed publicly ahead of the release. This is a remote code execution vulnerability in the Windows Jet Database Engine and has been rated important. This flaw exists due to the improper handling of objects in the memory. Finally, this vulnerability affects the Confidentiality, Integrity, and Availability of a machine and an attacker can exploit this vulnerability without any form of authentication.
Critical Vulnerabilities in Microsoft Patch Tuesday January 2019
Seven critical vulnerabilities were addressed this month. And all of them allow an attacker to remotely execute code on the vulnerable systems. Most of these vulnerabilities could also allow attacks through specially crafted or compromised websites. In contrast, here is a brief overview of the vulnerabilities that are in dire need of action:
- CVE-2019-0539, CVE-2019-0567 & CVE-2019-0568 – These are memory corruption vulnerabilities in the Chakra Scripting Engine which arise due to improper handling of objects in memory in Microsoft Edge.
- CVE-2019-0547 – This a memory corruption vulnerabililty in the Windows DHCP client which arises when specially crafted DHCP responses are sent to the client by an attacker.
- CVE-2019-0550 & CVE-2019-0551 – These address vulnerabilities in Windows Hyper-V on a host server. The flaws exist due to improper validation of input supplied by an authenticated user on a guest operating system. Arbitrary code can be executed on the Hyper-V host system by running specially crafted file on the guest operating system.
- CVE-2019-0565 – This is a memory corruption vulnerability in Microsoft Edge which arises due to improper access of objects in memory.
Microsoft Patch Tuesday January 2019 release consists of security updates for the following products:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- .NET Framework
- ASP.NET
- Microsoft Exchange Server
- Microsoft Visual Studio
- Latest Servicing Stack Updates (ADV990001)
Microsoft security bulletin summary for December 2018:
Product : Internet Explorer
CVEs/Advisory : CVE-2019-0541
Severity : Important
Impact : Remote Code Execution
KBs : 4480116, 4480961, 4480962, 4480963, 4480965, 4480966, 4480968, 4480970, 4480973, 4480975, 4480978
Product : Microsoft Edge
CVEs/Advisory : CVE-2019-0539, CVE-2019-0565, CVE-2019-0566, CVE-2019-0567, CVE-2019-0568
Severity : Critical
Impact : Remote Code Execution, Elevation of Privilege
KBs : 4480116, 4480961, 4480962, 4480966, 4480973, 4480978
Product : Microsoft Windows
CVEs/Advisory : CVE-2019-0536, CVE-2019-0538, CVE-2019-0543, CVE-2019-0547, CVE-2019-0549, CVE-2019-0550, CVE-2019-0551, CVE-2019-0552, CVE-2019-0553, CVE-2019-0554, CVE-2019-0555, CVE-2019-0569, CVE-2019-0570, CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584
Severity : Critical
Impact : Elevation of Privilege, Information Disclosure and then Remote Code Execution
KBs : 4480116, 4480957, 4480960, 4480961, 4480962, 4480963, 4480964, 4480966, 4480968, 4480970, 4480972, 4480973, 4480975, 4480978
Product : Microsoft Office and Microsoft Office Services and then Web Apps
CVEs/Advisory : CVE-2019-0541, CVE-2019-0556, CVE-2019-0557, CVE-2019-0558, CVE-2019-0559, CVE-2019-0560, CVE-2019-0561, CVE-2019-0562, CVE-2019-0585, CVE-2019-0622
Severity : Important
Impact : Elevation of Privilege, Information Disclosure, Remote Code Execution and then Spoofing
KBs : 2553332, 2596760, 3172522, 4022162, 4461535, 4461537, 4461543, 4461589, 4461591, 4461594, 4461595, 4461596, 4461598, 4461601, 4461612, 4461614, 4461617, 4461620, 4461623, 4461624, 4461625, 4461633, 4461634, 4461635, 4462112
Product : ChakraCore
CVEs/Advisory : CVE-2019-0539, CVE-2019-0567, CVE-2019-0568
Severity : Critical
Impact : Remote Code Execution
Product : Microsoft Exchange Server
CVEs/Advisory : CVE-2019-0586, CVE-2019-0588
Severity : Important
Impact : Remote Code Execution, Information Disclosure
KBs : 4468742, 4471389
Product : Microsoft Visual Studio
CVEs/Advisory : CVE-2019-0537, CVE-2019-0546,
Severity : Important
Impact : Information Disclosure, Remote Code Execution
KBs : 4476698, 4476755
Product : Adobe Flash Player
CVEs/Advisory : ADV190001
KBs : 4480979
Product : .NET Framework
CVEs/Advisory : CVE-2019-0545
Severity : Important
Impact : Information Disclosure
KBs : 4480051, 4480054, 4480055, 4480056, 4480057, 4480058, 4480059, 4480061, 4480062, 4480063, 4480064, 4480070, 4480071, 4480072, 4480074, 4480075, 4480076, 4480083, 4480084, 4480085, 4480086, 4480961, 4480962, 4480966, 4480973, 4480978
Product : ASP.NET
CVEs/Advisory : CVE-2019-0548, CVE-2019-0564
Severity : Important
Impact : Denial of Service
Office updates to be uninstalled
- Update for Microsoft Excel 2010 (KB4461627)
- Update for Microsoft Office 2010 (KB4032217)
- Update for Microsoft Office 2010 (KB4032225)
- Update for Microsoft Office 2010 (KB4461616)
However, SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Therefore, Download Saner now and keep your systems updated and secure.