Microsoft has announced its first Patch Tuesday of the year, addressing a total of 49 CVE-listed security vulnerabilities across its Windows operating system and other products. Among these vulnerabilities, seven are classified as critical, while 40 are deemed important, and two are identified as moderate in severity.
The software giant has reported that only one of the patched vulnerabilities was publicly known at the time of the update, and none of these vulnerabilities are actively being exploited in real-world scenarios. The critical vulnerabilities primarily pose risks of remote code execution and predominantly affect various iterations of Windows 10 and its server editions.
Specifically, two of the critical vulnerabilities involve Microsoft’s Hyper-V host operating system, highlighting a failure to adequately validate input from authenticated users on guest systems. Three others pertain to the ChakraCore scripting engine, which inadequately handles objects in memory within the Edge browser. One critical flaw impacts Edge directly by mishandling objects in memory, while the final one affects the Windows DHCP client due to improper handling of certain DHCP responses.
An important vulnerability publicly disclosed but not currently being exploited is identified as CVE-2019-0579. This remote code execution flaw exists within the Windows Jet Database engine, allowing for arbitrary code to be executed on a victim’s system through a specially crafted file.
Additionally, the update addresses vulnerabilities in several Microsoft products including the .NET framework, Exchange Server, Edge, Internet Explorer, SharePoint, the Office suite, Windows Data Sharing Service, Visual Studio, Outlook, and the Windows Subsystem for Linux. An Office-related vulnerability, CVE-2019-0560, poses an information disclosure risk, where improperly disclosed memory contents may be exploited to extract sensitive information from users.
In another significant update, Microsoft patched a privilege escalation vulnerability classified as CVE-2019-0622 in Skype for Android. This flaw posed a risk of allowing attackers to bypass the lock screen and access stored personal data by merely answering a call on an affected device.
Though the Skype vulnerability remains classified as moderate and requires physical access for exploitation, it highlights the importance of keeping software up to date. The fix was initially incorporated into Skype’s December 23 release, though users of the Android version must ensure they manually update the app via Google Play.
While this month’s patch update contains no mention of certain previously disclosed vulnerabilities, users are strongly advised to apply patches addressing a memory corruption issue in Internet Explorer, identified as CVE-2018-8653, which continues to be exploited.
To mitigate risks from potential attacks, it is critical for users and system administrators to promptly implement these security updates. The process involves navigating to Settings, then Update & Security, and finally Windows Update, followed by the ‘Check for updates’ option. Manual installations remain available for those who prefer that route.
In summary, these patches not only address critical vulnerabilities but also reflect an ongoing commitment by Microsoft to enhance security and protect its user base against malicious attacks. The compliance with MITRE ATT&CK framework highlights tactics such as initial access, privilege escalation, and persistence, underscoring the need for proactive security measures in today’s cyber landscape.