RCE flaw in Windows DHCP client fixed in this update

Jan 9, 2019 07:35 GMT  ·  By  ·  Comment  · 
Share:             
This update is shipped to Windows 10 version 1803
   This update is shipped to Windows 10 version 1803

The January 2019 Patch Tuesday cycle includes a fix for a Remote Code Execution flaw in the Windows DHCP client on Windows 10 version 1803, and Microsoft says you should patch as soon as possible.

The patch is bundled into Windows 10 cumulative update KB4480966, which is only available for version 1803 (April 2018 Update), as this is the only Windows release that’s affected by the flaw.

The vulnerability is detailed by Microsoft in CVE-2019-0547 where the company explains that there is no known exploit right now.

“A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine,” it says.

“To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client. The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.”

Known issues

Nate Warfield of the MSRC team says the bug was discovered internally and no proof of concept would be released, though you are strongly recommended to install the update as soon as possible.

What’s important to know is that this cumulative update comes with four known issues, and you should have them all in mind when installing it (scroll down to the end of the article to read them in full).

One of the newest affects third-party applications, which according to Microsoft may not be able to authenticate hotspots after installing the update. A fix is already being developed and a resolution is expected in mid-January.

We aren’t aware of any known issues right now, but there’s a chance KB4480966 installs correctly, and given the security vulnerability described here, you should install it as soon as possible.

Symptom Workaround
After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:

4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.

Microsoft is working on a resolution and will provide an update in an upcoming release.
After installing this update, some users cannot pin a web link on the Startmenu or the taskbar. Microsoft is working on a resolution and will provide an update in an upcoming release.
After installing KB4467682, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters. Set the domain default "Minimum Password Length" policy to less than or equal to 14 characters.
Microsoft is working on a resolution and will provide an update in an upcoming release.
After installing this update, third-party applications may have difficulty authenticating hotspots. Microsoft is working on a resolution and estimates a solution will be available mid-January.
  Click to load comments
This enables Disqus, Inc. to process some of your data. Disqus privacy policy

Related Stories

Fresh Reviews

Latest News