Virtual Administrator’s June 2019 Patch Recommendations
This month Microsoft released patches for 88 vulnerabilities with 20 of them rated “Critical”
All June patches have been approved in our patch policy.
Most of this month’s critical vulnerabilities are in Microsoft’s browsers. The latest Adobe Flash update should be prioritized. Microsoft Word has two serious Remote Code Execution (RCE) vulnerabilities (CVE-2019-1034 and CVE-2019-1035) but the user must open a specially crafted file to exploit. Three RCE vulnerabilities are patched in Hyper-V Hypervisor Escape (CVE-2019-0620, CVE-2019-0709, and CVE-2019-0722) which could allow a user on a guest system to run arbitrary code on the host system.
Looking for information on BlueKeep?
Making headlines this month is large organizations such as the NSA asking people to patch their machines against the Wannacry vulnerability referred to as Bluekeep (CVE-2019-0708). Bluekeep was part of May’s cumulative roll-up patch. We reported on this before it was titled Bluekeep at the top of the “Noteable CVE” section down near the bottom of the May Patch Notes.
Bottom line is that this patch was approved and you just need to make sure it is installed on your machines.
You can read more on that here.
FYI [ADV990001] – New Servicing Stack Updates (SSU) for Windows 10 (1607/Server 2016 and 1809/Server 2019)
Find our audit script and information on the SSU Stack Updates here.
Disclosed: CVE-2019-1064, CVE-2019-1069, CVE-2019-1053 and CVE-2019-0973
Exploited: None
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Adobe Flash Player
- Microsoft Windows
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- Skype for Business and Microsoft Lync
- Microsoft Exchange Server
- Azure
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 06/11/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
ADV190015 | June 2019 Adobe Flash Security Update (Published: 06/11/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190015
This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB19-30: CVE-2019-7845.
ADV190016 | Bluetooth Low Energy Advisory (Published: 06/11/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190016
Microsoft is aware of an issue that affects the Bluetooth Low Energy (BLE) version of FIDO Security Keys. Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key, or communicate with the device to which the key is paired.
Google has issued CVE-2019-2102 for this vulnerability.
To address this issue, Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration.
ADV190017 | Microsoft HoloLens Remote Code Execution Vulnerabilities (Published: 06/11/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190017
Microsoft is aware of vulnerabilities that affect the Broadcom wireless chipset included in the Microsoft HoloLens device. The vulnerabilities could allow an unauthenticated attacker in physical proximity to cause a denial of service condition or execute code on a target system. The vulnerabilities were issued CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
To address this issue, Microsoft has included the updated Broadcom firmware in the latest HoloLens update
ADV190018 | Microsoft Exchange Server Defense in Depth Update (Published: 06/12/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190018
Microsoft has released an update for Microsoft Exchange Server that provides enhanced security as a defense in depth measure, preventing crashes from uploading certain file types. (KB4503027,KB4503028)
Known Issues per Microsoft
Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.
Windows 10 release information
https://docs.microsoft.com/en-us/windows/release-information/
There are a few known issues this month listed below. Microsoft continues to list older known issues in the current KBs. Only new issues are listed. If a machine was not affected by an older know issue, it should not have problems with the new update.
Known Issues by product
Exchange Server 2010/2013/2016/2019
https://support.microsoft.com/en-us/help/4503027/security-update-for-microsoft-exchange-server-2019-june-11-2019
- When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.
Windows 7 SP1 and Server 2008 R2
https://support.microsoft.com/en-us/help/4503292
- Issue with McAfee products that may cause the system to have slow startup or become unresponsive at restart.
- Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers.
- When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error.
Windows 8.1 and Server 2012 R2
https://support.microsoft.com/en-us/help/4503276/june-11-2019-kb4503276-os-build-monthly-rollup
- Issue with McAfee products that may cause the system to have slow startup or become unresponsive at restart.
- Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers.
- Certain operations on Cluster Shared Volumes may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
- When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error.
Windows 10 Version 1709/1803
- Certain operations on Cluster Shared Volumes may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
Windows 10 Version 1809
https://support.microsoft.com/en-us/help/4503327
- Certain operations on Cluster Shared Volumes may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
- Printing from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error
- After installing KB4493509, devices with some Asian language packs installed may receive the error
Windows 10 Version 1903
https://support.microsoft.com/en-us/help/4503293
- Windows Sandbox may fail to start with ERROR_FILE_NOT_FOUND (0x80070002)
Known Issues by type
Exchange Server
Symptom: When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.
Workaround: Manually install this security update as administrator.
Status: Use workaround
Cluster Shared Volume (CSV)
Symptom: Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Workaround: Do one of the following
- Perform the operation from a process that has administrator privilege.
- Perform the operation from a node that doesn’t have CSV ownership.
Status: Microsoft is working on a resolution and will provide an update in an upcoming release.
Internet Explorer 11
Symptom: Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.
Workaround: To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.
Status: We are working on a resolution and estimate a solution will be available in mid-July.
Custom Views in Event Viewer
Symptom: When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, “MMC has detected an error in a snap-in and will unload it.” and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.
Workaround: To mitigate this issue, see KB4508640 (https://support.microsoft.com/en-us/help/4508640/event-viewer-may-close-or-you-may-receive-an-error-when-using-custom-v).
Status: We are working on a resolution and estimate a solution will be available in late June.
Windows Sandbox
Symptom: Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Workaround: None
Status: Microsoft is working on a resolution and will provide an update in an upcoming release.
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4503292 – Windows 7, Windows Server 2008 R2
- KB4503276 – Windows 8.1, Windows Server 2012 R2
- KB4503285 – Windows Server 2012
- KB4503273 – Windows Server 2008
Security Only Update
- KB4503269 – Windows 7, Windows Server 2008 R2
- KB4503290 – Windows 8.1, Windows Server 2012 R2
- KB4503263 – Windows Server 2012
- KB4503287 – Windows Server 2008
Cumulative Update for Windows 10
- KB4503291 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4503267 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4503279 – Version 1703 “Creators Update” (OS Build 15063)
- KB4503284 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4503286 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB4503327 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB4503293 – Version 1903 “May 2019 Update” (OS Build 18362)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
KB4503259 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
KB4503308 – Security Update for Adobe Flash Player
June 2019 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4505743/june-2019-updates-for-microsoft-office
Notable CVEs
CVE-2019-0620 | Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0620
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973
An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior.
A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation
CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1053
An elevation of privilege vulnerability exists when the Windows Shell fails to validate folder shortcuts. An attacker who successfully exploited the vulnerability could elevate privileges by escaping a sandbox.
To exploit this vulnerability, an attacker would require unprivileged execution on the victim system.
The security update addresses the vulnerability by correctly validating folder shortcuts.
CVE-2019-1064 | Windows Elevation of Privilege Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1064
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.
CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069
An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system.
To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system.
The security update addresses the vulnerability by correctly validating file operations.