Virtual Administrator’s January 2019 Patch Recommendations

This month Microsoft released patches for 49 vulnerabilities with 7 of them rated “Critical”, 40 “Important” and 2 “Moderate”.

*******************************************************************************************

UPDATE: KB4480970/KB4480960 release

We are approving KB4480970 (Monthly Rollup) and KB4480960 (Security only) for Windows 7/Server 2008R2

Microsoft released a patch (KB4487345) that corrects the problems with remotely access shares introduced by KB4480970/KB4480960. KB4487345 should be installed on any Windows 7 and Server 2008R2 machines affected.

KB4487345 is only available from the Microsoft Update Catalog. It cannot be installed automatically with Windows Updates or Kaseya patch management. We created an agent procedure you can use to deploy KB4487345. The “KB4487345 install” script will be posted on ClubMSP. VA on-prem users can find it in the “Shared>_VA Scripts>Patch Deployment>KB#### Install” folder.

Description of the update for Windows 7 SP1 and Windows Server 2008 R2: January 11, 2019

Applies to:   Windows 7 Service Pack 1, Windows Server 2008 R2

https://support.microsoft.com/en-us/help/4487345/update-for-windows-7-sp1-and-windows-server-2008-r2

“This update resolves the issue where local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows 7 SP1 and Windows Server 2008 R2 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local “Administrators” group.”

*******************************************************************************************

Delayed release of KB4480970/KB4480960 for Windows 7/Server 2008R2. 

All other patches have been approved in our patch policy.

 

Last month’s Out-of-Band security (CVE-2018-8653) was released the next day and should be already installed. Of most concern this month are CVE-2019-0547 and CVE-2019-0579. CVE-2019-0547 is a weakness in the Windows DHCP client. CVE-2019-0579 is publicly disclosed bug in the Jet Database Engine. In addition CVE-2019-0550 and CVE-2019-0551 are RCEs affecting Windows Hyper-V. CVE-2019-0565 is a memory corruption flaw in the Edge browser. Also the Chakra Scripting Engine has three memory corruption flaws CVE-2019-0539, CVE-2019-0568, and CVE-2019-0567.  See “Notable CVEs” below.

 

Delayed release of KB4480970/KB4480960 for Windows 7/Server 2008R2

“Local users who are part of the local “Administrators“ group may not be able to remotely access shares”. Because of the widespread impact this could have we are going to review this over the next week and decide next Friday if we can approve it.  We have seen registry fixes posted but have not been able to test thoroughly.  Those registry changes have not been approved by Microsoft. See “Known Issues” below for KB4480970. We will update this post next Friday with further details.

 

Out-of-Band security update for Internet Explorer: December 19, 2018

CVE-2018-8653 Microsoft has released KB4483187, KB4483230, KB4483234, KB 4483235, KB4483232, KB4483228, KB4483229, and KB4483187 to address the IE zero-day. These were release on December 20, 2018. See Notable CVEs below.

 

Heads Up! Windows may fail to startup on Lenovo Laptops with less than 8 GBs memory. Only a small number of machines are affected by this. We found about 1 in 1,000 of our agents. See “Known Issues” below for KB4480961.

 

FYI – Microsoft Pulled some January 2019 Updates For Office. After numerous complaints, Microsoft pulled the four updates launched for Microsoft Office 2010. These include an Update for MS Excel 2010 (KB4461627, and three updates for Microsoft Office 2010 (KB4032217, KB4032225, and KB4461616).

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

Affected software include:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • .NET Framework
  • ASP.NET
  • Microsoft Exchange Server
  • Microsoft Visual Studio

 

Microsoft Security Advisories (That’s not a security issue?)

ADV190001 | January 2019 Adobe Flash Update (Published: 01/08/2019)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190001

This update does not address any security vulnerabilities. For more information, please see APSB19-01.

Note: Please disregard mentions of security or vulnerability in this advisory. These are hardcoded titles that we were unable to change for this non-security Adobe Flash update.

 

Known Issues: KB4480961, KB4480973, KB4480978, KB4480966, KB4480970, KB4480116, KB4480962, KB4480963, KB4480975, KB4468742, KB4471389

 

KB4480116, KB4480962, KB4480963, KB4480975 are the same single issue with authenticating hotspots (Cumulative Update/Monthly Rollup)

Applies to:  Windows 10 1507/1809, Windows 8.1, Windows Server 2012/2012R2

https://support.microsoft.com/en-us/help/4480962

https://support.microsoft.com/en-us/help/4480963/windows-8-1-update-kb4480963

https://support.microsoft.com/en-us/help/4480975/windows-server-2012-update-kb4480975

Symptom: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-January.

 

KB4480961, KB4480973, KB4480978, KB4480966 have the hotspot issue and others

 

KB4480961 (Cumulative Update) Hotspot and new

Applies to:  Windows 10 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4480961

Symptom: System Center Virtual Machine Manager (SCVMM) managed workloads are noticing infrastructure management issues after VMM refresh as the Windows Management Instrumentation (WMI) class around network port is being unregistered on Hyper-V hosts.

Workaround: Run mofcomp for the scvmmswitchportsettings.mof, VMMDHCPSvr.mof, and other relevant SCVMM MOF Files. Please upgrade thru the SCVMM 2016 Update Rollup 6 (UR6) to expedite the Host Refresh activities after running mofcomp command.

Symptom: After installing this update on Windows Server 2016, instant search in Microsoft Outlook clients fail with the error, “Outlook cannot perform the search”.

Workaround: To alleviate the symptoms, run sfc /scannow as described in step 3 of Use the System File Checker tool to repair missing or corrupted system files. Then restart Microsoft Outlook.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Symptom: After installing KB4467691, Windows may fail to startup on certain Lenovo laptops that have less than 8 GB of RAM.

Workaround: Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.

If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Microsoft is working with Lenovo and will provide an update in an upcoming release.

 

KB4480966 (Cumulative Update) Hotspot and new

Applies to:  Windows 10 1803

https://support.microsoft.com/en-us/help/4480966/windows-10-update-kb4480966

Symptom: After installing KB4467682, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

Workaround: Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4480973, KB4480978 (Cumulative Update) Hotspot and ongoing previously reported issue that “SqlConnection can throw an exception”

Applies to:  Windows 10 1703/1709

https://support.microsoft.com/en-us/help/4480973/windows-10-update-kb4480973

https://support.microsoft.com/en-us/help/4480978/windows-10-update-kb4480978

 

KB4480970 DELAYED RELEASE (Monthly Rollup)

Applies to:  Windows 7 SP1, Windows Server 2008 R2 SP1

https://support.microsoft.com/en-us/help/4480970/windows-7-update-kb4480970

Symptom: After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem<number>.inf. The exact problematic configurations are currently unknown.

Workaround: 1.To locate the network device, launch devmgmt.msc. It may appear under Other Devices.

2.To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu. •Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.

Symptom: Some users are reporting activation failures and “Not genuine” notifications starting around January 8, 2019, or later, on volume-licensed Windows 7 KMS clients. Notifications may state:

Workaround: Note The timing of this issue coincides with the release of the January updates (KB4480960 and KB4480970) that were released on Tuesday, January 8, 2019. These events are not related.

The issue has been corrected on the backend Microsoft Activation and Validation servers. If you are affected by this issue, please follow the guidance in the Knowledge Base Help article, KB4487266.

Symptom: Local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local “Administrators” group.

Workaround: To work around this issue use either a local account that is not part of the local “Administrators” group or any domain user (including domain administrators).

We recommend this workaround until a fix is available in a future release.

 

KB4468742, KB4471389

Applies to: Microsoft Exchange Server 2010/2013/2016/2019 (Manual Install Only)

https://support.microsoft.com/en-us/help/4468742/update-rollup-25-for-exchange-server-2010-service-pack-3

https://support.microsoft.com/en-us/help/4471389/description-of-the-security-update-for-microsoft-exchange-server-2019

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, select All Programs, and then select Accessories.
  2. Right-click Command prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update

 

Monthly Rollup/Security Only/Windows 10/Server 2016/2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4480970 – Windows 7, Windows Server 2008 R2
  • KB4480963 – Windows 8.1, Windows Server 2012 R2
  • KB4480975 – Windows Server 2012
  • KB4480968 – Windows Server 2008

 

Security Only Update

  • KB4480960 – Windows 7, Windows Server 2008 R2
  • KB4480964 – Windows 8.1, Windows Server 2012 R2
  • KB4480972 – Windows Server 2012
  • KB4480957 – Windows Server 2008

 

Cumulative Update for Windows 10

  • KB4480962 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4480961 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4480973 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4480978 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4480966 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4480116 – Version 1809 “October 2018 Update” (OS Build 17763)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4480965 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

.NET Framework

Security and Quality Rollup (Security Only) for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2

  • KB4481480 (KB4481481)- Windows 7, Windows Server 2008 R2
  • KB4481484 (KB4481485)- Windows 8.1, Windows Server 2012 R2
  • KB4481482 (KB4481483)- Windows Server 2012
  • KB4481486 (KB4481487)- Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)

 

KB4480979 – Security Update for Adobe Flash Player

 

January 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4484800/january-2019-updates-for-microsoft-office

 

 

Notable CVEs

CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability (Cumulative Update December 19, 2018)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

 

CVE-2019-0539 | Chakra Scripting Engine Memory Corruption Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0539

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.

 

CVE-2019-0547 | Windows DHCP Client Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0547

A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.

To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client.

The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.

 

CVE-2019-0550 | Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0550

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.

 

CVE-2019-0551 | Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0551

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.

 

CVE-2019-0565 | Microsoft Edge Memory Corruption Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0565

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.

The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.

 

CVE-2019-0567 | Chakra Scripting Engine Memory Corruption Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0567

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.

 

CVE-2019-0568 | Chakra Scripting Engine Memory Corruption Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0568

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.

 

CVE-2019-0579 | Jet Database Engine Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0579

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.