After a busy year of patches and real challenges to the quality of the update process, Microsoft has delivered a “mild” January Patch Tuesday that addresses 47 unique vulnerabilities. This month, we have one publicly reported vulnerability (CVE-2019-0579) that addresses a problem with the Microsoft JET engine. No critical updates for Adobe (really!) and a “Patch Now” rating for the Microsoft IE and Edge browser updates. In addition to the normal security and quality updates released this month, Microsoft has published its latest Servicing Stack Update (SSU) with ADV990001 which applies to Windows 10 (all releases), Server 2008 and Server 2016.
I would also follow Chris Goettl’s advice and patch December’s out-of-band IE update (CVE-2018-8653) as a priority. You can read more here.
Known Issues, January 2019
Microsoft has documented eleven known issues with this update, which are summarized here:
- After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception
- System Center Virtual Machine Manager (SCVMM) managed workloads are noticing infrastructure management issues after VMM refresh
- After installing this update on Windows Server 2016, instant search in Microsoft Outlook clients fail with the error, “Outlook cannot perform the search”
- After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters
- After installing KB4467691, Windows may fail to start up on certain Lenovo laptops that have less than 8 GB of RAM
And lastly, it looks like there have been some early reports of Wifi hotspots not connecting correctly with this latest update. Microsoft is already working on a fix, and we may see an Out of Band (OOB) update later this month to resolve this issue.
Each month, I try to break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- MicrosoftNET Core, .NET Core and Chakra Core
- Adobe Flash Player
Windows
This month brings a single publicly reported vulnerability (CVE-2019-0579) that could lead to a remote code execution scenario across all Windows platforms. At present, there are no known vulnerabilities that have been reported as exploited in the wild. In total, Microsoft has addressed 29 vulnerabilities across the Windows platform (both server and desktop) with three rated as critical by Microsoft. A quick summary of the three reported critical updates includes:
- CVE-2019-0547: A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client.
- CVE-2019-0550, CVE-2019-0551: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system
Add this month’s Windows updates to your standard patch deployment schedule.
Browsers
Microsoft has addressed six vulnerabilities in Microsoft Edge and IE with the most serious rated as critical by Microsoft. It looks like the Chakra JavaScript engine has issues with memory handling which could lead to a remote code execution scenario on the targeted system. Given the nature of the vulnerability, please add this update to your “Patch Now” schedule.
Microsoft Office
Microsoft has not released any quality or security updates for Microsoft Office for this January release cycle. That said, it may be useful to note that Microsoft has pulled the Office 2010 update.
Development Tools (.NET and JavaScript)
This January security release attempts to resolve nine reported vulnerabilities, with one rated as critical and the remaining eight rated as important by Microsoft. The update to the Chakra Core project can be found on Microsoft’s GitHub here. The other updates are included in Microsoft’s Security Only, Security Update and Monthly Roll-up releases. Add these updates to your standard development patch release cycle.
Adobe (Flash Player)
Another zero-day day discovery from the Trend Micro Zero Day initiative shows how specially crafted PDF files can be used to exploit security vulnerabilities in Adobe API’s and how to use PDF files to execute code with logged-in user privileges. Adobe has not released any critical updates for January (really!), with a single lower rated vulnerability (APSB19-02). Add this patch to your standard release schedule.
Other News
And for those watching the slow progress of Windows 10 users finally overtake Windows 7 will note that there is still a lot of work to get everyone on the “Final OS” or even the “Forever OS” . Unless, you want to move your desktop to the cloud. That said, Windows 7 support ends next year this week. And given some of the issues with Microsoft releases in 2018, let’s hope Michael Fortin’s assurances about Microsoft’s release quality hold up for 2019.