Welcome to the March 2019 Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday, and dissect a few of the key releases.

Microsoft

March’s Patch Tuesday addresses 64 vulnerabilities, 18 of which are rated as Critical. These run the usual gamut of Browser, ActiveX and MSXML bugs, meaning desktops and Internet-accessing servers are most at risk.

However, a handful are more serious and are worth digging into. The first 3 of these (CVE-2019-0697, CVE-2019-0698, CVE-2019-0726) affect the Windows DHCP client, which can be abused with no user interaction by sending a crafted packet to a target, resulting in Remote Code Excution (RCE) on the victim’s machine. While the implications are serious, the attack requires local network access or a successful Man in the Middle attack to achieve, making it hard to accomplish. Nonetheless, the CVSS score of 9.8 is high for each of these, just shy of the “perfect 10”, due to the complete system ownage that could result in a successful attack.

The DHCP bugs are serious but not currently being exploited in the wild, however two further bugs in Win32k’s handling of objects in memory have been seen under active attack. These were reported in conjunction with Google, who issued an emergency patch on the 6^th March for their Chrome browser to mitigate. The issue affects Chrome on Windows 7/Server 2008, and could be seen as another driver to upgrade soon-to-be-retired OS. File under “Patch it yesterday”.

Adobe

Adobe are a little lighter than usual this month, with Flash getting an update which addresses performance and feature updates, but no reported security issues. Patches for Photoshop CC and Digital Editions were released, while Reader and Acrobat go unchanged.

Get in Touch

If you'd like any advice on the Microsoft or Adobe patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.