Microsoft released its monthly set of security updates to address the vulnerabilities in its products today. There are 49 vulnerabilities with 7 rated critical for Remote Code Execution , 40 rated important and 2 rated moderate in severity. These updates have addressed the issues in Adobe Flash Player, Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, ASP.NET, Microsoft Exchange Server and Microsoft Visual Studio. It is also worth noting that no zero-days were reported for the fresh start of 2019. But a deep look at the other critical updates would prove useful in keeping the gremlins on your machines at bay.

But that’s not all! Microsoft also pulled off its non-security updates for Office 2010 that were released earlier this month following multiple issues that were reported in Excel from its Japanese customers. Microsoft advises that these updates be uninstalled to prevent crashes and other such difficulties. Details follow.

Publicly Disclosed
CVE-2019-0579 was disclosed publicly ahead of the release. This is a remote code execution vulnerability in the Windows Jet Database Engine and has been rated important. This flaw exists due to the improper handling of objects in the memory. This vulnerability affects the Confidentiality, Integrity, and Availability of a machine and an attacker can exploit this vulnerability without any form of authentication.

Critical Vulnerabilities
critical vulnerabilities were addressed this month. And all of them allow an attacker to remotely execute code on the vulnerable systems. Most of these vulnerabilities could also allow attacks through specially crafted or compromised websites. Here is a brief overview of the vulnerabilities that are in dire need of action:

  • CVE-2019-0539, CVE-2019-0567 & CVE-2019-0568These are memory corruption vulnerabilities in the Chakra Scripting Engine which arise due to improper handling of objects in memory in Microsoft Edge.
  • CVE-2019-0547 – This a memory corruption vulnerabililty in the Windows DHCP client which arises when specially crafted DHCP responses are sent to the client by an attacker.
  • CVE-2019-0550 & CVE-2019-0551 – These address vulnerabilities in Windows Hyper-V on a host server. The flaws exist due to improper validation of input supplied by an authenticated user on a guest operating system. Arbitrary code can be executed on the Hyper-V host system by running specially crafted file on the guest operating system.
  •  CVE-2019-0565 – This is a memory corruption vulnerability in Microsoft Edge which arises due to improper access of objects in memory.

January 2019 patch Tuesday release consists of security updates for the following products:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • .NET Framework
  • Microsoft Exchange Server
  • Microsoft Visual Studio
  • Latest Servicing Stack Updates (ADV990001)

Microsoft security bulletin summary for December 2018:

Product : Internet Explorer
CVEs/Advisory : CVE-2019-0541
Severity : Important
Impact : Remote Code Execution
KBs : 4480116, 4480961, 4480962, 4480963, 4480965, 4480966, 4480968, 4480970, 4480973, 4480975, 4480978

Product : Microsoft Edge
CVEs/Advisory : CVE-2019-0539, CVE-2019-0565, CVE-2019-0566, CVE-2019-0567, CVE-2019-0568
Severity : Critical
Impact : Remote Code Execution, Elevation of Privilege
KBs : 4480116, 4480961, 4480962, 4480966, 4480973, 4480978

Product : Microsoft Windows
CVEs/AdvisoryCVE-2019-0536, CVE-2019-0538, CVE-2019-0543, CVE-2019-0547, CVE-2019-0549, CVE-2019-0550, CVE-2019-0551, CVE-2019-0552, CVE-2019-0553, CVE-2019-0554, CVE-2019-0555, CVE-2019-0569, CVE-2019-0570, CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584
Severity :  Critical
Impact : Elevation of Privilege, Information Disclosure, Remote Code Execution
KBs : 4480116, 4480957, 4480960, 4480961, 4480962, 4480963, 4480964, 4480966, 4480968, 4480970, 4480972, 4480973, 4480975, 4480978

Product : Microsoft Office and Microsoft Office Services and Web Apps
CVEs/Advisory : CVE-2019-0541, CVE-2019-0556, CVE-2019-0557, CVE-2019-0558, CVE-2019-0559, CVE-2019-0560, CVE-2019-0561, CVE-2019-0562, CVE-2019-0585, CVE-2019-0622
Severity : Important
Impact : Elevation of Privilege, Information Disclosure, Remote Code Execution, Spoofing
KBs : 2553332, 2596760, 3172522, 4022162, 4461535, 4461537, 4461543, 4461589, 4461591, 4461594, 4461595, 4461596, 4461598, 4461601, 4461612, 4461614, 4461617, 4461620, 4461623, 4461624, 4461625, 4461633, 4461634, 4461635, 4462112

Product : ChakraCore
CVEs/Advisory : CVE-2019-0539, CVE-2019-0567, CVE-2019-0568
Severity : Critical
Impact : Remote Code Execution

Product : Microsoft Exchange Server
CVEs/Advisory : CVE-2019-0586, CVE-2019-0588
Severity : Important
Impact : Remote Code Execution,  Information Disclosure
KBs : 4468742, 4471389

Product : Microsoft Visual Studio
CVEs/Advisory : CVE-2019-0537, CVE-2019-0546,
Severity : Important
Impact : Information Disclosure, Remote Code Execution
KBs : 4476698, 4476755

Product : Adobe Flash Player
KBs : 4480979

Product : .NET Framework
Severity : Important
Impact :  Information Disclosure
KBs : 4480051, 4480054, 4480055, 4480056, 4480057, 4480058, 4480059, 4480061, 4480062, 4480063, 4480064, 4480070, 4480071, 4480072, 4480074, 4480075, 4480076, 4480083, 4480084, 4480085, 4480086, 4480961, 4480962, 4480966, 4480973, 4480978

Product : ASP.NET
CVEs/AdvisoryCVE-2019-0548, CVE-2019-0564
Severity : Important
Impact : Denial of Service

Office updates to be uninstalled

  • Update for Microsoft Excel 2010 (KB4461627)
  • Update for Microsoft Office 2010 (KB4032217)
  • Update for Microsoft Office 2010 (KB4032225)
  • Update for Microsoft Office 2010 (KB4461616)

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

Patch Tuesday: Microsoft Security Bulletin Summary for January 2019
Article Name
Patch Tuesday: Microsoft Security Bulletin Summary for January 2019
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *