Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

Patch Tuesday Microsoft has released the first Patch Tuesday bundle of the year, patching up 49 CVE-listed security vulnerabilities and issuing two advisories.

Happy new year from Redmond

The January edition of Patch Tuesday includes critical fixes for Windows 10, Exchange Server, and Hyper-V.

Among the 49 bug fixes were patches for remote code execution flaws in DHCP (CVE-2019-0547) and an Exchange memory corruption flaw (CVE-2019-0586) that Trend Micro ZDI researcher Dustin Childs warns is particularly dangerous as it can be exploited simply by sending an email to a vulnerable server.

"That’s a bit of a problem, as receiving emails is a big part of what Exchange is meant to do," Childs explained.

"Microsoft lists this as Important in severity, but taking over an Exchange server by simply sending it an email puts this in the Critical category to me. If you use Exchange, definitely put this high on your test and deploy list."

Just one of the vulnerabilities has been reported as being publicly disclosed. That flaw, CVE-2019-0579, concerns a remote code execution vulnerability in the Windows Jet Database engine that would be exploited by tricking the victim into opening a specially-crafted file.

Also of priority should be the patch for CVE-2019-0550 and CVE-2019-0551, a pair of remote code execution vulnerabilities in Windows Hyper-V. Both flaws would allow a guest VM to execute exploit code on the underlying host machine.

Reg readers will already know of the Skype vulnerability behind CVE-2019-0622. As we warned of last week, the Android version of Skype was found to allow users to bypass the lock screen and access things like photos and contact details. Discovery was credited to researcher Florian Kunushevci.

As usual, the bulk of Microsoft's critical fixes concerned remote code execution vulnerabilities in the scripting engines for the Edge and Internet Explorer browsers. Jet Database was also a popular target this month, with a total of 10 remote code execution flaws (including the above-mentioned CVE-2019-0579) being patched.

Office once again sees fixes for a remote code execution flaw in Word (CVE-2019-0585) as well as an information disclosure bug in Exchange (CVE-2019-0588) and three cross-site scripting vulnerabilities in SharePoint.

Flash! Na-ahhhh…

A round of applause for Adobe, who didn't need to put out a single security fix for Flash today. Instead, the internet's screen door will see a handful of performance and stability fixes for the Mac, Windows, Linux, and Chrome OS versions of the multimedia plug-in.

Adobe also pushed out security updates for an information disclosure bug in Digital Editions for Windows, Mac, iOS, and Android, as well as a patch for a token exposure flaw in Connect. ®