Microsoft Delivers Mild January Security Patch Bundle
Microsoft offered a relatively mild "update Tuesday" bundle of security fixes in its January release this month.
The official Microsoft announcement leads to Microsoft's Security Update Guide, which is a vast catalog-type description of the January security updates. There are also January Release Notes from Microsoft indicating that everything from Windows to Microsoft's browsers to the .NET Framework is getting patches this month.
Sometimes, though, it's just easier to read what Microsoft's software security partners have to say about the patches.
All told, organizations are getting patches for 49 common vulnerabilities and exposures (CVE) in the January release, according to a Tuesday post by Dustin Childs of Trend Micro's Zero Day Initiative. Of that total, just seven patches are rated "Critical" by Microsoft, with 40 rated as "Important," so this month's bundle turns out to be not such a big deal.
Childs ranked a Windows DHCP client remote code execution vulnerability flaw (CVE-2019-0547) at the top of his list of things to patch. It affects Windows 10 and Windows Server version 1803. It's a "wormable" flaw that affects the Windows listening service and received Microsoft's highest Exploitability Index rating, he noted.
He also pointed to a Microsoft Exchange memory corruption flaw (CVE-2019-0586) that "could allow an attacker to take control of an Exchange server by just sending a specially crafted email" to it. Given the gravity of that scenario, Childs questioned whether Microsoft's description of this flaw as merely "Important" was the best ranking choice.
Other notable things to fix include Hyper-V remote code execution flaws (CVE-2019-0550 and CVE-2019-0551) and a Skype for Android elevation of privilege flaw (CVE-2019-0622), Childs noted.
Only one of the flaws getting patched with the January Microsoft bundle was described as having been "publicly disclosed" previously, according to analysis by Chris Goettl, director of product management for security at Ivanti, via e-mail. The publicly disclosed flaw, known as CVE-2019-0579, is an "Important" Jet Database Engine remote code execution flaw for all supported Windows systems.
"While only rated as Important, this vulnerability [CVE-2019-0579] has been disclosed, meaning enough information was released to the public that an attacker could have an easier time to develop exploits for the vulnerability," Goettl noted.
However, CVE-2019-0579 may not be well known. Childs indicated that "it's not clear where the information is published" about it. In contrast, the Skype for Android flaw actually was disclosed on December 31 in a YouTube video, although Microsoft doesn't list it being "Public," Childs noted.
Likely IT pros will want to take note of the accompanying Security Advisory ADV990001 this month, on top of the January security fixes. The advisory is just supposed to be telling us that there's a mandatory servicing stack update that was released on Jan. 8 for Windows 10 version 1703. However, the advisory also includes a useful catalog of Microsoft's past servicing stack update releases for those trying to keep track of them.
Goettl offered a thumbnail sketch of the importance of servicing stack updates for Windows systems:
Microsoft has released an updated servicing stack for Windows 10 1703. This is the only servicing stack update this month. Servicing stack updates update the update system … if that makes any sense. In other words, if you don't do this update you may not be able to reliably do future updates amongst other changes to the system. Servicing stack updates are in addition to the cumulative updates. Read here for all you ever wanted to know about Servicing Stack Updates.
For more update Tuesday talk, Ivanti is planning to host a Patch Tuesday discussion on Microsoft's January security bundle, starting on January 9.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.