January was a big month for patching. If you missed the blog, you can catch up on it, here. But 2019 is now well under way and this month’s Patch Roundup is another busy one. Let’s get straight into it…

Microsoft

A bumper crop of updates from Microsoft – 74 vulnerabilties addressed, of which 20 are critical.

Firstly, a 0-day vulnerability was announced for Exchange back in January, which has resulted in a Cumulative Update (CU) for all currently-supported versions of the mail server. This bumps Exchange 2010 to Server Pack 3 with Update Roll-up 26, 2013 to CU22, 2016 to CU12 and the newer Exchange 2019 gets its first Cumulative Update, CU1. This vulnerability is linked back to an Oracle Outside library issue announced back in 2018 which has now been weaponised for Exchange, highlighting the interconnectedness of software, which may not be apparent on the surface.

Alongside this, the widely used Windows Server DHCP Server service is affected by a memory corruption vulnerability (CVE-2019-0626) which can be trigged simply by sending a crafted packet to the server. This and the Exchange Cumulative update should be the first priority for admins running these services.

Desktop Operating Systems are affected by a number of browser and scripting engine vulnerabilities, and Microsoft have dropped a large batch of Adobe Flash updates for Edge as well. This one is particularly interesting, as Adobe and Microsoft disagree on the severity, with Microsoft ranking it higher as a Critical risk with Remote Code Execution (RCE). As always, desktops and devices connecting to the Internet will need to be prioritised for these.

Adobe

As mentioned, Adobe Flash gets an update, as do Reader/Acrobat, ColdFusion and Creative Cloud. Between them, they total 71 vulnerabilties, making it yet another big month for Adobe fixes. Still widespread on desktops, these products should have the updates pushed or be configured to auto-update as soon as possible to protect your desktop users.

VMware

VMware released its first round of updates for the year at the tail end of January. Whilst these are largely rated as important, and cover off a variety of performance and security bugs, they also include a Critical vulnerability fix for VSAN. The documentation isn’t particularly clear and detail is scant, so admins of systems using this feature may want to review it carefully before deploying the update.

Get in Touch

If you'd like any advice on the Microsoft, Adobe or VMware patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.