Microsoft January 2019 Patch Tuesday fixes 50 vulnerabilities
Microsoft has released today its monthly roll-up of security updates known as Patch Tuesday. In this month’s update train, the Redmond-based OS maker has patched 50 vulnerabilities across nine products, including the Windows OS, Internet Explorer, Microsoft Edge, ChakraCore, the .NET Framework, ASP.NET, Microsoft Visual Studio, Microsoft Exchange Server, and Microsoft Office and Microsoft Office Services and Web Apps.
While in the previous four months the company has patched four zero-days in a row, this month’s Patch Tuesday did not include security updates for actively-exploited vulnerabilities.
However, there are quite a few bugs that users need to be aware of, as they could grant attackers control over a Windows system, if they would ever be exploited, either by malware running on a PC, or after users access malicious websites.
To be more precise, there are 17 bugs in this month’s Patch Tuesday marked as “remote code execution” issues, which are vulnerabilities that allow attackers a direct avenue to execute code inside various Microsoft products or Windows components without needing a foothold on a system beforehand.
Seven of these RCEs are also marked “Critical,” which is also the highest severity level that Microsoft assigns to security bugs. Of the seven, three affect the ChakraCore scripting engine included in Edge, two affect Microsoft’s Hyper-V server virtualization environment, one impacts Edge directly, and one affects the ubiquitous Windows DHCP client.
Since the Windows DHCP client is enabled on all Windows operating systems, and the vulnerability can be exploited remotely, users should make sure they don’t miss this month’s update.
This table compiled by Trend Micro’s Zero Day Initiative lists vulnerabilities patched this month, based on their severity.
ZDNet has also put together a different table, available online here, which lists in-depth details about each vulnerability on one single page. More information is also available on Microsoft’s official Security Update Guide portal, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.
Earlier today, Adobe released its own security updates, but only for Adobe Connect (web conferencing software) and Adobe Digital Editions (e-book reader). There were no Flash Player security updates today, but only feature and performance bugs, which were also automatically deployed to Windows users via security advisory ADV190001, included in today’s Patch Tuesday updates.