The January 2019 Security Update Review

A new year is upon us and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.

Adobe Patches for January 2019

Adobe kicked off the new year by releasing an unscheduled update for Adobe Acrobat and Reader on January 3rd. Unlike most of their unscheduled releases, this one does not address anything being actively exploited. The two critical-rated CVEs it fixes were both reported through the ZDI program. The security bypass reported by ZDI researcher Abdul-Aziz Hariri was the result of a previously released security patch that didn’t quite fix what it intended to fix. The other CVE is a use-after-free (UAF) bug that was fast approaching the 120-day disclosure deadline. Again, neither were publicly known or under active attack at the time of release.

Today, Adobe released additional security patches for Flash, Connect, and Adobe Digital Editions. The Flash patch actually just provides bug fixes and does not address any security bugs. The Connect patch addresses a single CVE correcting a security token exposure. Similarly, the patch for Digital Editions patches one CVE fixing an out of bounds read. None of these issues are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for January 2019 

Microsoft begins 2019 with 49 security patches and two advisories covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, Visual Studio, and the .NET Framework. Of these 49 CVEs, 7 are listed as Critical, 40 are rated Important, and two are rated Moderate in severity. A total of 10 of these CVEs came through the ZDI program. One of these bugs is listed as publicly known at the time of release and none are reported as being actively exploited.

Let’s take a closer look at some of the more interesting patches for this month, starting with a disconcerting bug in the Windows DHCP client:

-       CVE-2019-0547 – Windows DHCP Client Remote Code Execution Vulnerability
If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list. A bug in the DHCP client could allow attackers to execute their code on affected systems. Code execution through a widely available listening service means this is a wormable bug. Microsoft also gives this its highest Exploit Index rating, meaning the bug is highly exploitable. It’s interesting the vulnerability exists in the latest version of the OS but not previous ones. It’s likely due to the component being re-written for the newer systems. Regardless, definitely put this in your “patch now” category.

-       CVE-2019-0586 – Microsoft Exchange Memory Corruption Vulnerability
This corrects a bug in Exchange that could allow an attacker to take control of an Exchange server just by sending it a specially crafted email. That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do. Microsoft lists this as Important in severity, but taking over an Exchange server by simply sending it an email puts this in the Critical category to me. If you use Exchange, definitely put this high on your test and deploy list.

-       CVE-2019-0550, CVE-2019-0551 – Windows Hyper-V Remote Code Execution Vulnerability
These are two different CVEs, but I grouped them together as they have the same exploit scenario and impact. For both cases, a user on a guest virtual machine could execute code on the underlying hypervisor OS. The root cause for both of these bugs goes back to the failure to properly validate user input. Although titled as “remote code execution,” these bugs require an attacker to execute code on the guest OS. At last year’s Pwn2Own, these bugs could have earned up to $250,000 USD for a participant. This year’s event will also likely include large payouts for Hyper-V exploits. Let’s hope we see some bugs like these demonstrated at the contest.

-       CVE-2019-0622 – Skype for Android Elevation of Privilege Vulnerability
Although not as severe as some of the other bugs addressed this month, this patch covers a bug in Skype for Android that could bypass the lock screen. Obviously, an attacker would need physical access to your phone to do this. According to published reports, a fix for this was included in the December 23 release of Skype, so this release is primarily documenting the details. Although Microsoft does not list this as publicly known, the researcher posted a YouTube video demonstrating the vulnerability back on December 31. To get the update, you’ll need to manually access the Google Play store and update the Skype app from there.

Here’s the full list of CVEs released by Microsoft for January 2019.

While there are only seven Critical-rated patches in the bunch, nearly half of this month’s patches correct some form of remote code execution. Eleven of these RCE patches involve the Jet Database Engine. One of these patches is listed as publicly known, but it’s not clear where the information is published. There is user interaction here, as targets need to open a specially crafted file. The Jet Database Engine is something we have a bit of familiarity with, so it’s good to see additional patches for the component.

User interaction is also what lowers severity ratings for RCEs in Office and, unusually, Internet Explorer. While browser bugs are typically browse-and-own, CVE-2019-0541 requires the target to edit a specially crafted file designed to exploit the vulnerability. There’s also patches for more traditional browser bugs in Edge and ChakraCore, but fewer this month than seen in previous months.

In addition to the Exchange bug mentioned above, there’s also an info disclosure bug in Exchange being addressed. This joins info disclosure bugs in other Office components, the Windows kernel, .NET, and the Windows Subsystem for Linux. Most of these will simply leak memory address information, but others could allow attackers to read data from files or details from calendar appointments. The ASP.NET component also has a couple of denial-of-service bugs patched this month. In both cases, a remote unauthenticated attacker could crash an ASP.NET Core web application by sending specially crafted requests.

Rounding out this month’s release are some elevation of privilege bugs in SharePoint and multiple Windows components, most notably the Windows Data Sharing Service, which gets four separate CVEs. For these types of bugs, attackers first need to log on to a system. They would then execute a specially crafted program designed to take advantage of the vulnerability. This is a common tactic for malware to embed itself on a system. SharePoint also gets three patches to address cross-site scripting (XSS) bugs, which also serve as a reminder to developers to always sanitize user input. 

The first advisory released in January is the confusingly named ADV990001, which provides the latest servicing stack updates for supported Windows versions. Although listed as Critical, this usage means that it is a critical update for your system – not a Critical severity bug. Finally, the other advisory for this month is Microsoft’s version of the previously discussed Adobe patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on February 12, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!