What we do
Welcome to the first Patch Roundup of 2019, where we look at the latest updates from some of our main vendors and dissect some of the key releases. We took a month off in December so there’s plenty to catch up on!
December’s Patch Tuesday was, thankfully, fairly light. It addressed 39 vulnerabilities, 9 of which were classed as Critical. The majority of these are browser-related, with one (CVE-2018-8611) being a serious kernel Privilege Escalation bug that’s being actively attacked in the wild.
January brought a more substantial set of bug fixes in its 49 patches, probably the most significant of which is CVE-2019-0586, an Exchange memory corruption flaw that allows the running of arbitrary code, such as installing software, accessing or modifying data, or creating accounts. To make matters worse, this vulnerability can be exploited, simply by sending a properly crafted email to the affected mail server. This one should be a top priority for anyone running on-prem Exchange.
Hyper-V and the Windows DHCP client also got patched for some serious bugs. Hyper-V is subject to a pair of hypervisor escape flaws that allow code execution on the underlying host. CVE-2019-0550 and CVE-2019-0551 should be high on the list for departments working with Hyper-V.
The DHCP vulnerability is much more widespread, however, and similar to the Exchange flaw it allows the attacker to run arbitrary code on the target machine. A maliciously crafted DHCP response is sent to the machine requesting an IP address, causing a memory corruption. This is likely to be relatively low risk in corporate networks, where there is a good deal of control over the DHCP services. However it’s precisely the sort of thing hackers love, and is something to look out for on public WiFi networks in airports and coffee shops. Road warriors beware!
The December patches for Adobe Acrobat and Reader covered a whopping 87 vulnerabilities, almost half of which could be exploited for remote code execution. The 3rd January saw the early release of two further critical patches, which were clearly significant enough to warrant being pushed sooner than the usual Patch Tuesday. Flash has also been updated, but for once, no security issues are addressed, with this month’s release focusing instead on performance and stability fixes.
This is a great example of the importance of monitoring patch releases, and deploying them quickly. If you took the last few weeks off from patching, you could be returning from the Christmas break to 89 opportunities for attackers to find their way into your systems, or to extract information from your company using a booby-trapped PDF alone. Multiply that by the number of endpoints, and you’ll quickly see your potential exposure.
If you'd like to learn more about any of the patch updates discussed above, please contact your Softcat Account Manager, or get in touch using the button below.
We would love to hear any comments you have about this article!