Virtual Administrator’s February 2019 Patch Recommendations

This month Microsoft released patches for 77 vulnerabilities with 20 of them rated “Critical”, 54 “Important” and 3 “Moderate”.

 

All February patches have been approved in our patch policy.

A lot of smoke this month but not a whole lot of fire.  Microsoft released a large number of patches and a bunch have known issues. However most of the known issues are minor. There is an Internet Explorer vulnerability which is being actively exploited (CVE-2019-0676). A critical DHCP vulnerability could allow an attacker run arbitrary code on the DHCP server (CVE-2019-0626). A fix for the Microsoft Exchange vulnerability which exploits a bug in Exchange Web Services (EWS) push notifications (CVE-2019-0686). Make sure to review the “Known Issues with Exchange Server” at the bottom of this page. There is SharePoint Remote Code Execution (RCE) vulnerability (CVE-2019-0594/CVE-2019-0604). Also there are some new Servicing Stack Updates (SSU) for most versions of Windows 10.

The Internet Explorer and DHCP vulnerabilities are included in the Monthly Rollup/Cumulative Update. There others are individual KBs.

 

Disclosed: CVE-2019-0636, CVE-2019-0646, CVE-2019-0647, and CVE-2019-0686.

Exploited: CVE-2019-0676

 

FYI – New Servicing Stack Updates (SSU) for Windows 10 v1607/KB4485447, v1703/KB4487327, v1709/KB4485448, and v1803/KB4485449 (ADV990001)

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • .NET Framework
  • Microsoft Exchange Server
  • Microsoft Visual Studio
  • Azure IoT SDK
  • Microsoft Dynamics
  • Team Foundation Server
  • Visual Studio Code

 

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 02/13/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.

 

ADV190003 | February 2019 Adobe Flash Security Update (Published: 02/12/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190003

This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB19-06: CVE-2019-7090.

 

ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities (Published: 02/12/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006

Active Directory Forest trusts provide a secure way for resources in a forest to trust identities from another forest. This trust is directional; a trusted forest can authenticate its users to the trusting forest without allowing the reverse.

A feature, Enforcement for forest boundary for Kerberos full delegation, was introduced in Windows Server 2012 that allows an administrator of the trusted forest to configure whether Ticket-Granting Tickets (TGTs) may be delegated to a service in a trusting forest.

An unsafe default configuration for this feature exists when setting up inbound trusts that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.

This advisory addresses the issue by recommending a new safe default configuration for unconstrained Kerberos delegation across Active Directory forest trusts that supersedes the original unsafe configuration.

 

ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability (Published: 02/05/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190007

An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

 

Known Issues: KB4345836, KB4471391, KB4471392, KB4486563, KB4486564, KB4486993, KB4487000, KB4487019, KB4487020, KB4487023, KB4487025, KB4487026, KB4487028, KB4486996, KB4487017, KB4487044, KB4487052

This is a huge number of KBs with issues. It’s really not that bad as many are single minor problems. We listed the Exchange issues at the end of this post due to the length. Also we only list the new known issues. Some are recurring problems that surfaced months ago. If you have not yet seen them yet you are likely unaffected.

KB4486563, KB4486564, KB4486993, KB4487000, KB4487019, KB4487023, KB4487025, KB4487028 (Monthly Rollup)

Applies to: Windows 7/8.1, Server 2008/2008R2, 2012/2012R2

Symptom: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host.

Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486563, KB4486564, KB4486993 ,KB4487025

Applies to: Windows 7, Server 2008R2, 2012 (Monthly Rollup)

Symptom: After installing this update, the Event Viewer may not show some event descriptions for network interface cards (NIC).

Workaround: Currently, there is no workaround for this issue.

Microsoft is working on a resolution and estimates a solution will be available in March 2019.

 

KB4486563, KB4487020, KB4487023, KB4487026, KB4486996, KB4487017, KB4487044

Applies to: Windows 7, Server 2008R2, Windows 10

Symptom: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4486563 – Windows 7, Windows Server 2008 R2
  • KB4487000 – Windows 8.1, Windows Server 2012 R2
  • KB4487025 – Windows Server 2012
  • KB4487023 – Windows Server 2008

 

Security Only Update

  • KB4486564 – Windows 7, Windows Server 2008 R2
  • KB4487028 – Windows 8.1, Windows Server 2012 R2
  • KB4486993 – Windows Server 2012
  • KB4487019 – Windows Server 2008

 

Cumulative Update for Windows 10

  • KB4487018 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4487026 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4487020 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4486996 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4487017 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4487044 – Version 1809 “October 2018 Update” (OS Build 17763)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4486474 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

.NET Framework

Security and Quality Rollup (Security Only) for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2

  • KB4487078 (KB4487121)- Windows 7, Windows Server 2008 R2
  • KB4487080 (KB4487123)- Windows 8.1, Windows Server 2012 R2
  • KB4487079 (KB4487122)- Windows Server 2012
  • KB4487081 (KB4487124)- Windows Server 2008 (.NET Framework 2.0, 3.0, 4.5.2, 4.6)
  • KB4487038 – Security Update for Adobe Flash Player

 

February 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4488446/february-2019-updates-for-microsoft-office

 

Notable CVEs

CVE-2019-0594/CVE-2019-0604 – Microsoft SharePoint Remote Code Execution Vulnerability (KB4462155,KB4462143,KB4461630,KB4462171) 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0594

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.

The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

 

CVE-2019-0626 – Windows DHCP Server Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.

To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server.

The security update addresses the vulnerability by correcting how DHCP servers handle network packets.

 

CVE-2019-0676 – Internet Explorer Information Disclosure Vulnerability (Cumulative Update or KB4486474)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0676

An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.

An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website.

The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory.

 

CVE-2019-0686 – Microsoft Exchange Server Elevation of Privilege Vulnerability (KB4487052,KB4345836,KB4471392,KB4471391) 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686

An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users.

Exploitation of this vulnerability requires Exchange Web Services (EWS) and Push Notifications to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

To address this vulnerability, Microsoft has changed the notifications contract established between EWS clients and Exchange Servers to not allow authenticated notifications to be streamed by the server. Instead, these notifications will be streamed using anonymous authentication mechanisms.

 

 

Known Issues with Exchange Server 2010/2013/2016/2019

KB4345836

Cumulative Update 22 for Exchange Server 2013

https://support.microsoft.com/en-us/help/4345836/cumulative-update-22-for-exchange-server-2013

Known issues:

In multidomain Active Directory forests in which Exchange is installed or has been prepared previously by using the /PrepareDomain option in SETUP, this action must be completed after the /PrepareAD command for this cumulative update has been completed and the changes are replicated to all domains. Setup will try to execute the /PrepareAD command during the first server installation. Installation will finish only if the user who initiated SETUP has the appropriate permissions

 

Cumulative Update 1 for Exchange Server 2019

KB4471391

https://support.microsoft.com/en-us/help/4471391/cumulative-update-1-for-exchange-server-2019

Known issues:

1 After you install Cumulative Update 1 for Exchange Server 2019, the Accept button disappears in the invitation email message of a shared calendar in the Outlook on the web client (previously known as Outlook Web App). Therefore, you cannot add the shared calendar by clicking the Accept button directly. To work around this issue, you can use one of the following methods: -Open the invitation from the Notifications pane in Outlook on the web.

-Add the shared calendar manually in Outlook on the web. For more information, see How to open a shared calendar from an Outlook sharing invitation.

-Open the invitation in Outlook, and then add the shared calendar.

2 In multidomain Active Directory forests in which Exchange is installed or has been prepared previously by using the /PrepareDomain option in SETUP, this action must be completed after the /PrepareAD command for this cumulative update has been completed and the changes are replicated to all domains. Setup will try to execute the /PrepareAD command during the first server installation. Installation will finish only if the user who initiated SETUP has the appropriate permissions.

 

 

Cumulative Update 12 for Exchange Server 2016

KB4471392

https://support.microsoft.com/en-us/help/4471392/cumulative-update-12-for-exchange-server-2016

Known issues:

1 After you install Cumulative Update 12 for Exchange Server 2016, the Accept button disappears in the invitation email message of a shared calendar in Microsoft Outlook on the web client (previously known as Outlook Web App). Therefore, you cannot add the shared calendar by clicking the Accept button directly. To work around this issue, you can use one of the following methods:

-Open the invitation from the Notifications pane in Outlook on the web.

-Add the shared calendar manually in Outlook on the web. For more information, see How to open a shared calendar from an Outlook sharing invitation.

-Open the invitation in Outlook, and then add the shared calendar.

2 In multidomain Active Directory forests in which Exchange is installed or has been prepared previously by using the /PrepareDomain option in SETUP, this action must be completed after the /PrepareAD command for this cumulative update has been completed and the changes are replicated to all domains. Setup will try to execute the /PrepareAD command during the first server installation. Installation will finish only if the user who initiated SETUP has the appropriate permissions.

 

Update Rollup 26 for Exchange Server 2010 Service Pack 3

KB4487052

https://support.microsoft.com/en-us/help/4487052/update-rollup-26-for-exchange-server-2010-service-pack-3

Known issues:

  • When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, select All Programs, and then select Accessories.
  2. Right-click Command prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

  • Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.
  • To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update from an elevated command prompt. For more information about how to open an elevated command prompt, visit the following Microsoft webpage: Start a Command Prompt as an Administrator