Stock Market News

Rapid7 : Patch Tuesday - January 2019

January 08, 2019 at 06:14 pm

Microsoft's first updates of the year address 49 separate vulnerabilities, which is on the low side relatively speaking. We're also getting rare respite from Flash vulnerabilities (although Adobe published a 'security bulletin' for Flash today, the new version does not actually contain any security fixes). It's worth noting, however, that Adobe fixed two Critical vulnerabilities in Acrobat and Reader last Thursday (APSB19-02).

The most severe vulnerability being patched today is CVE-2019-0547, a Remote Code Execution (RCE) in the Windows DHCP client, though thankfully it only affects version 1803 of Windows 10 and Windows Server. An attacker able to send a maliciously crafted DHCP response to a vulnerable system would be able to run arbitrary code. DHCP is a network management protocol often used to dynamically configure things like IP addresses for systems when they connect to a router. Any untrusted network, such as a random Wi-Fi hotspot in a coffee shop, is a potential vector for this attack.

None of today's vulns are known to be actively exploited, although CVE-2019-0579 (RCE in the Jet Database Engine) had been publicly disclosed before getting patched. In fact, a total of 11 CVEs related to the Jet Database Engine were published today, all potentially leading to RCE.

It doesn't look as though either of the two vulnerabilities disclosed by the security researcher SandboxEscaper towards the end of last month were resolved by today's updates. One is a privilege escalation bug that lets any file be read with system level access, and the other allows a target file to be overwritten with arbitrary data.

Other notable bugs that were fixed today include CVE-2019-0550 (RCE in Windows Hyper-V that could allow a guest operating system to execute arbitrary code on the host system), CVE-2019-0567 (RCE in the Edge browser), and CVE-2019-0585 (RCE in Microsoft Word). On the server side, four vulnerabilities for SharePoint were patched and two for Exchange Server.

Note: not all CVEs had CVSSv3 data available at the time of writing

Attachments

Original document
Permalink

Disclaimer

Rapid7 Inc. published this content on 08 January 2019 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 08 January 2019 23:13:04 UTC

All News: More news

Man who smuggled military tech to Russia sentenced to 3 years in US jail	07-17	RE
Wall Street: Soxx plunges to its lowest level since 03/2022	07-17	CF
US Navy exonerates 258 Black sailors unjustly punished after 1944 explosion	07-17	RE
US Senator Menendez tells allies he will resign after conviction, NBC News reports	07-17	RE
Crown Castle beats second-quarter site rental revenue estimates on steady demand	07-17	RE
Activist investor Politan files lawsuit against Masimo	07-17	RE
Steel Dynamics quarterly profit nearly halves on weak steel pricing	07-17	RE
Femsa to Sell Food Service Equipment Operations in $451.9 Million Deal	07-17	DJ
MORNING BID ASIA-Volatility returns as tech tanks, yen spikes	07-17	RE
Trump national security adviser calls on Taiwan to lift defense spending	07-17	RE
Discover Financial quarterly profit jumps on higher interest income	07-17	RE
Boeing Seattle factory workers to send 'strong message' at strike sanction vote, union says	07-17	RE
Equifax sees Q3 revenue below estimates amid mortgage market slowdown	07-17	RE
UK's Starmer uses European forum to press for EU reset, Ukraine support	07-17	RE
British, Irish PMs seek to reset strained ties over pints of Guinness	07-17	RE