Last updated at Tue, 08 Jan 2019 22:56:17 GMT
Microsoft's first updates of the year address 49 separate vulnerabilities, which is on the low side relatively speaking. We're also getting rare respite from Flash vulnerabilities (although Adobe published a "security bulletin" for Flash today, the new version does not actually contain any security fixes). It's worth noting, however, that Adobe fixed two Critical vulnerabilities in Acrobat and Reader last Thursday (APSB19-02).
The most severe vulnerability being patched today is CVE-2019-0547, a Remote Code Execution (RCE) in the Windows DHCP client, though thankfully it only affects version 1803 of Windows 10 and Windows Server. An attacker able to send a maliciously crafted DHCP response to a vulnerable system would be able to run arbitrary code. DHCP is a network management protocol often used to dynamically configure things like IP addresses for systems when they connect to a router. Any untrusted network, such as a random Wi-Fi hotspot in a coffee shop, is a potential vector for this attack.
None of today's vulns are known to be actively exploited, although CVE-2019-0579 (RCE in the Jet Database Engine) had been publicly disclosed before getting patched. In fact, a total of 11 CVEs related to the Jet Database Engine were published today, all potentially leading to RCE.
It doesn't look as though either of the two vulnerabilities disclosed by the security researcher SandboxEscaper towards the end of last month were resolved by today's updates. One is a privilege escalation bug that lets any file be read with system level access, and the other allows a target file to be overwritten with arbitrary data.
Other notable bugs that were fixed today include CVE-2019-0550 (RCE in Windows Hyper-V that could allow a guest operating system to execute arbitrary code on the host system), CVE-2019-0567 (RCE in the Edge browser), and CVE-2019-0585 (RCE in Microsoft Word). On the server side, four vulnerabilities for SharePoint were patched and two for Exchange Server.
Note: not all CVEs had CVSSv3 data available at the time of writing