Microsoft fixed 51 security vulnerabilities in January Patch Tuesday
Microsoft released the January security patch in a routine update yesterday, fixing 51 security vulnerabilities. There are no vulnerabilities that have been exploited in the wild. Only one vulnerability has been disclosed previously. This vulnerability is CVE-2019-0579. ZDI publicly disclosed this vulnerability in September (because Microsoft has not fixed the vulnerability for more than 120 days), Microsoft then fixed the vulnerability in the October patch day, but there are still ways to bypass it.
There are three critical vulnerabilities that fixed on this update
- CVE-2019-0550, CVE-2019-0551 – Windows Hyper-V Remote Code Execution Vulnerability
These are two different CVEs, but I grouped them together as they have the same exploit scenario and impact. For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as “remote code execution,” these bugs require an attacker to execute code on the guest OS. At last year’s Pwn2Own, these bugs could have earned up to $250,000 USD for a participant. This year’s event will also likely include large payouts for Hyper-V exploits. Let’s hope we see some bugs like these demonstrated at the contest.- CVE-2019-0547 – Windows DHCP Client Remote Code Execution Vulnerability
If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list. A bug in the DHCP client could allow attackers to execute their code on affected systems. Code execution through a widely available listening service means this is a wormable bug. Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable. It’s interesting the vulnerability exists in the latest version of the OS but not previous ones. It’s likely due to the component being re-written for the newer systems. Regardless, definitely put this in your “patch now” category.- CVE-2019-0586 – Microsoft Exchange Memory Corruption Vulnerability
This corrects a bug in Exchange that could allow an attacker to take control of an Exchange server just by sending it a specially crafted email. That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do. Microsoft lists this as Important in severity, but taking over an Exchange server by simply sending it an email puts this in the Critical category to me. If you use Exchange, definitely put this high on your test and deploy list.
You can view the full list of CVEs released by Microsoft for January 2019 here.