Microsoft started the new year yesterday by issuing fixes for a near half century of vulnerabilities, although only seven were rated critical.
Many of these were remote code execution (RCE) bugs, with experts agreeing that CVE-2019-0547 should be top of the priority list. This RCE vulnerability in the Windows DHCP Client was given Microsoft’s highest exploit index rating.
“DHCP is a network management protocol often used to dynamically configure things like IP addresses for systems when they connect to a router,” explained Rapid7 senior security researcher, Greg Wiseman. “Any untrusted network, such as a random Wi-Fi hotspot in a coffee shop, is a potential vector for this attack.”
Other critical flaws to look at first include three Chakra scripting engine memory corruption vulnerabilities (CVE-2019-0539, CVE-2019-0567, CVE-2019-0568); two Hyper-V RCEs (CVE-2019-0550, CVE-2019-0551); and CVE-2019-0565, a Microsoft Edge memory corruption vulnerability.
Unlike the past few months, there were no zero-day flaws for admins to tackle, but there was one which had been publicly disclosed although not actively exploited in the wild.
CVE-2019-0579 is an RCE in the Jet Database Engine: one of 11 CVEs which could lead to RCE in the product.
Also on the list is Exchange memory corruption vulnerability CVE-2019-0586, which could allow an attacker to take control of a victim machine by sending a specially crafted email.
System administrators are also spared the regular task of patching Adobe Flash this month, although the vendor released fixes for two critical vulnerabilities in Reader and Acrobat last Thursday.
Qualys director of product management, Jimmy Graham, also reminded IT teams not to forget the out-of-band patch Microsoft released on December 17 for CVE-2018-8653, fixing a bug affecting Internet Explorer 9-11 which has been actively exploited in the wild.
“This patch should also be prioritized to all workstation-type devices,” he said.
The Zero Day Initiative has a full list of CVEs for January 2019 here.