Virtual Administrator’s November 2019 Patch Recommendations
This month Microsoft released patches for 74 vulnerabilities with 13 rated “Critical” in severity.
We have denied Office patches KB3085368, KB4484113, KB4484119 and KB4484127. All other November patches have been approved in our patch policy.
Only one vulnerability in Internet Explorer is currently known to be exploited (CVE-2019-1429). We have denied 4 patches for Office that are causing issues with Access (CVE-2019-1402) – see “Denied Patches” below. Intel posted a technical advisory concerning a processor Machine Check Error vulnerability (CVE-2018-12207) – see note below for Hyper-V users. There are new Servicing Stack Updates (SSU). No Adobe Flash Player patch this month and one new Security Advisory. Windows 10 Version 1909 (OS Build 18363) was officially released.
Denied Patches – KB3085368,KB4484113,KB4484119 and KB4484127 have been denied until after December 10, 2019.
Access users were seeing “Query ‘query name’ is corrupt” when attempting to run an Update query. More details are listed in the Known Issues section. Microsoft promised a fix by December 10 (Patch Tuesday). Provided that happens we will release these patches the following Friday (12/13) with the other December patches.
Intel technical advisory and Hyper-V (CVE-2018-12207) – There are special instructions for Hyper-V. While a protection mechanism is installed with this patch, it is not enabled by default. We hope to have a script for this posted on ClubMSP soon.
Guidance for protecting against Intel® Processor Machine Check Error vulnerability (CVE-2018-12207)
Notable News – Windows 10 version 1909 (OS Build 18363) released.
But you may already have it? As “the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state.” Surprise!
Windows 10 update history
https://support.microsoft.com/en-ca/help/4529964/windows-10-update-history
Woody Leonhard writes a great article on different ways to approach upgrading (or not upgrading) Windows 10.
“How to block the Windows 10 November 2019 Update, version 1909, from installing”
Heads Up! Support for Windows 10 version 1803 (OS Build 17134) has ended
Windows lifecycle fact sheet – https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
FYI [ADV990001] – New Servicing Stack Updates (SSU) for most operating systems.
Up to date SSUs are critical. Many do not show up in the regular Windows Updater scans and should be installed in the background automatically. ClubMSP offers scripts to audit the current SSU version as well as installation scripts. It is recommended that all partners run the “MS Stack Audit” to determine if their machines are current. “MS Stack Audit AIO” can be used to install the newest SSU if necessary.
Disclosed: None
Exploited: CVE-2019-1429
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Microsoft Windows
- Internet Explorer
- Microsoft Edge (EdgeHTML-based)
- ChakraCore
- Microsoft Office, Office Services and Web Apps
- Microsoft Exchange Server
- Visual Studio
- Azure Stack
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:11/13/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
Reason for Revision: A Servicing Stack Update has been released for all supported versions of Windows.
ADV190024 | Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM) (Published:11/12/2019 | Last Updated:11/13/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024
A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key confidentiality protection for a specific algorithm (ECDSA). It is important to note that this is a TPM firmware vulnerability, and not a vulnerability in the Windows operating system or a specific application. Currently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm.
Known Issues
Access error: “Query is corrupt”
Applies To: Access for Office 365 Access 2010/2013/2016/2019
Symptom: When attempting to run an Update query, it may not run and displays the error: “Query ‘query name’ is corrupt”.
The issue was introduced on November 12, 2019 via the following patch updates for MSI builds:
Office 2010: Description of the security update for Office 2010: November 12, 2019 (KB4484127)
Office 2013: Description of the security update for Office 2013: November 12, 2019 (KB4484119)
Office 2016: Description of the security update for Office 2016: November 12, 2019 (KB4484113)
Office 2016: November 12, 2019, update for Office 2016 (KB3085368)
Workaround: See link above.
Resolution: This issue will be fixed for all versions by December 10, 2019
Unable to create a local user when setting up a new Windows device during the Out of Box Experience (OOBE)
Applies To: Windows 10 versions 1803-1909 and Windows Server version 1803/1903
https://support.microsoft.com/en-us/help/4524570
Symptom: When setting up a new Windows device during the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.
Resolution: Microsoft is working on a resolution and will provide an update in an upcoming release.
Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.
Windows 10 release information
https://docs.microsoft.com/en-us/windows/release-information/
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB4525235 – Windows 7, Windows Server 2008 R2
- KB4525243 – Windows 8.1, Windows Server 2012 R2
- KB4525246 – Windows Server 2012
- KB4525234 – Windows Server 2008
Security Only Update
- KB4525233 – Windows 7, Windows Server 2008 R2
- KB4525250 – Windows 8.1, Windows Server 2012 R2
- KB4525253 – Windows Server 2012
- KB4525239 – Windows Server 2008
Cumulative Update for Windows 10
- KB4525232 – Original release version 1507 (OS Build 10240)
- None – Version 1511 (OS Build 10586)
- KB4525236 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB4525245 – Version 1703 “Creators Update” (OS Build 15063)
- KB4525241 – Version 1709 “Fall Creators Update” (OS Build 16299)
- KB4525237 – Version 1803 “Spring Creators Update” (OS Build 17134)
- KB4523205 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB4524570 – Version 1903 “May 2019 Update” (OS Build 18362)
- KB4524570 – Version 1909 “November 2019 Update” (OS Build 18363)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
KB4525106 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
None – Security Update for Adobe Flash Player
November 2019 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4527848/november-2019-updates-for-microsoft-office
Notable CVEs
CVE-2018-12207 | Windows Denial of Service Vulnerability (Cumulative Update/Monthly Rollup)
A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding.
The update addresses the vulnerability by correcting how Windows handles objects in memory.
CVE-2019-1373 | Microsoft Exchange Remote Code Execution Vulnerability (KB4523171)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1373
A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the logged in user.
Exploitation of this vulnerability requires that a user run cmdlets via PowerShell.
The security update addresses the vulnerability by correcting how Exchange serializes its metadata.
CVE-2019-1402 | Microsoft Office Information Disclosure Vulnerability (KB3085368, KB4484113, KB4484119 and KB4484127)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1402
An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.
To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.
The security update addresses the vulnerability by correcting how Microsoft Office handles objects in memory.
CVE-2019-1429 | Scripting Engine Memory Corruption Vulnerability (KB4525106/Cumulative Update/Monthly Rollup)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.