March 2019 Patch Tuesday – 65 Vulns, 18 Critical, RCEs in DHCP Client, Adobe Vulns
Last updated on: October 27, 2022
This month’s Patch Tuesday addresses 65 vulnerabilities, with 18 of them labeled as Critical. Thirteen of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office. Three remote code execution (RCE) vulnerabilities are patched in the Windows DHCP Client, as well as an RCE vuln in Windows Deployment Services TFTP Server and Privilege Escalation in Microsoft Dynamics 365. Adobe’s release is light, with only two CVEs patched in Photoshop CC and Digital Editions.
Browser, Scripting Engine, ActiveX, and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Windows DHCP Client
The Windows DHCP Client is used across workstations and servers. Deployment of patches to cover the three RCE vulnerabilities should be prioritized for all Windows systems.
Windows Deployment Services TFTP Server
If you are using Windows Deployment Services, this patch should be prioritized, as exploitation could lead to remote code execution on the affected host.
Microsoft Dynamics 365
On-prem deployments of Microsoft Dynamics 365 are vulnerable to privilege escalation, and patching for these systems should also be prioritized.
Microsoft also released three advisories that cover a few topics:
- ADV190009 announces SHA-2 Code Sign support for Windows 7 SP1 and Windows Server 2008 R2. This update will be required for any new patches released after July 2019. Older versions of WSUS should also be updated to distribute the new SHA-2 signed patches.
- ADV190010 gives guidance on sharing the same user account across multiple users. Microsoft discourages this behavior and considers it a major security risk.
- ADV190005 provides mitigations for a potential denial-of-service in http.sys when receiving HTTP/2 requests. The patch allows users to set a limit on how many SETTINGS parameters can be sent in a single request.
Adobe released non-security patches for Flash, as well as Critical security patches for Photoshop CC and Digital Editions, each with one vulnerability.
I like the Patch Tuesday announcements. Is there a way to correlate the QID’s to the Patches being released?