Virtual Administrator’s April 2019 Patch Recommendations

Patch Blog Update: Monthly Rollups/Cumulative Updates are safe to release

 

The known conflicts many antivirus products have with April’s patches have been have been addressed. We are enabling patching on the agents we suspended last week on our on-prem KServers. So far Microsoft does not appear to be modifying the patches and are relying on the vendors to update their products. Check your vendor sites for more details and guidance.

In addition to Sophos, Avast and Avira listed last week, ArcaBit and McAfee appear to have issues.  Microsoft “has temporarily blocked devices from receiving this update” on machines with Sophos, ArcaBit or Avira installed. Avast has released emergency updates. The McAfee is under investigation.

Additional details and links can be found in the patch notes for the Windows 7 Monthly Rollup notes here: https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472

Windows 7/8.1 list all as potential problems. Server 2008/2012 are affected by Sophos and Avira. The only version of Windows 10 affected was version 1809 which was limited to ArcaBit.

  • Sophos Endpoint – Microsoft has temporarily blocked devices from receiving this update.
  • Avira antivirus – Microsoft has temporarily blocked devices from receiving this update.
  • ArcaBit antivirus – Microsoft has temporarily blocked devices from receiving this update.
  • Avast has released emergency updates to address this issue.
  • McAfee – We are presently investigating this issue with McAfee.

This month Microsoft released patches for 74 vulnerabilities with 16 of them rated “Critical”

All April patches have been approved in our patch policy. We have suspended patching on Windows 7 machines with Avast and Avira anti-virus installed. Read below, patches are essentially denied on machines with Avast and Avira anti-virus installed on Virtual Administrator servers.

This month has two Zero-Day exploits. Startup and performance issues with some anti-virus product. As well as two new Servicing Stack Updates (SSU).

Two Zero-Day fixes (CVE-2019-0803/CVE-2019-0859) are Win32k elevation of privilege vulnerabilities.

Three Critical remote code execution (RCE) vulnerabilities are patched in GDI+ (CVE-2019-0853), IOleCvt (CVE-2019-0845) and Windows Hyper-V (CVE-2019-0786).  We also have a Proof of Concept (PoC) patch (CVE-2019-0841) which is another elevation of privilege vulnerability with Windows AppX Deployment Service (AppXSVC).

Heads Up!

Sophos, Avast and Avira Anti-Virus have issues with most Cumulative Updates and Monthly Rollups. Microsoft has already blocked devices from receiving the update on Sophos machines. Avast appears to only affect Windows 7 machines which may freeze on startup. Avira machines will start but performance will be slow. Avira slowness affects Windows 7 and Windows 10 machines.

More information is below under “Known Issues”. If you have problems you will need to uninstall the update which may require booting into Safe-Mode.

On our on-prem KServers we have suspended patching on Windows 7 machines with Avast anti-virus installed and will review again next Friday.

New Servicing Stack Updates

[ADV990001] – New Servicing Stack Updates (SSU) for Windows 10 Version 1809/Server 2019 (KB4493510) and Server 2008 SP2 (KB4493730)

Notable News

Last month Microsoft released KB4493132 which generated an Windows 7 SP1 support notification (EOL) message on the desktop. We denied KB4493132. This was classified as an optional update and felt it would unduly alarm the end users.

 

Disclosed: None

Exploited: CVE-2019-0803, CVE-2019-0859

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • ASP.NET
  • Microsoft Exchange Server
  • Team Foundation Server
  • Azure DevOps Server
  • Open Enclave SDK
  • Windows Admin Center

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 04/09/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.

 

ADV190011 | April 2019 Adobe Flash Security Update (Published: 04/09/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190011

This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB19-19: CVE-2019-7096, CVE-2019-7108.

 

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities (Published: 01/03/2018|Last Updated: 04/09/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

New updates for Windows 7/8.1, Windows 10 Version 1803 and Windows Server 2008R2/2012R2

 

Known Issues per Microsoft:

We have a number of known issues this month listed below.

 

Anti-virus boot up and performance with Sophos, Avast and Avira affects:

  • Sophos Endpoint Protection
  • KB4493451/KB4493450 Windows Server 2012 (Monthly Rollup/Security-only Rollup)
  • KB4493446/KB4493467 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup/Security-only Rollup)
  • KB4493472/KB4493448 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup/Security-only Rollup)
  • KB4493471/KB4493458 Windows Server 2008 Service Pack 2 (Monthly Rollup/Security-only Rollup)
  • Avast for Business and CloudCare
  • KB4493472/KB4493448 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup/Security-only Rollup)
  • Avira Antivirus
  • KB4493509 Windows 10 version 1809/Server 2019
  • KB4493472/KB4493448 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup/Security-only Rollup)

 

Custom URI Schemes affects:

  • KB4493470 Windows 10 version 1607/Server 2016
  • KB4493474 Windows 10 version 1703
  • KB4493441 Windows 10 version 1709
  • KB4493464 Windows 10 version 1803
  • KB4493509 Windows 10 version 1809/Server 2019
  • KB4493435 Internet Explorer Cumulative Update

 

Preboot Execution Environment (PXE) affects:

  • KB4493470 Windows 10 version 1607/Server 2016
  • KB4493464 Windows 10 version 1803
  • KB4493509 Windows 10 version 1809/Server 2019
  • KB4493451/KB4493450 Windows Server 2012 (Monthly Rollup/Security-only Rollup)
  • KB4493446/KB4493467 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup/Security-only Rollup)

 

Kerberos ticket expires affects:

  • KB4493472/KB4493448 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup/Security-only Rollup)
  • KB4493471/KB4493458 Windows Server 2008 Service Pack 2 (Monthly Rollup/Security-only Rollup)

 

Exchange Manually Install affects:

  • KB4487563 Exchange Server 2013/2016/2019
  • KB4491413 Exchange Server 2010 SP3

 

SSU update stuck on restart affects:

  • KB4493730 Windows Server 2008 SP2

 

Symptom/Workaround

Anti-virus boot up and performance

Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

https://community.sophos.com/kb/en-us/133945

Windows Machines Running Avast for Business and CloudCare Freezing on Start-up

https://kb.support.business.avast.com/GetPublicArticle?title=Windows-machines-running-Avast-for-Business-and-Cloud-Care-Freezing-on-Start-up

Avira Why does my system run very slow?

https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1976

Symptom: Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround: Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

Custom URI Schemes

Symptom: After installing this security update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround: Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

1) Go to Tools > Internet options > Security.

2) Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

3) Select Trusted sites and then select Enable Protected Mode.

4) Select OK.

You must restart the browser after making these changes.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Preboot Execution Environment (PXE)

Symptom: After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Kerberos ticket expires

Symptom: After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Workaround: To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Exchange Manually Install

Symptom: When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

Workaround: To avoid this issue, follow these steps to manually install this security update:

1) Select Start, and type cmd.

2) In the results, right-click Command Prompt, and then select Run as administrator.

3) If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

4) Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

SSU update stuck on restart

Symptom: Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround: If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

KB4493472 – Windows 7, Windows Server 2008 R2

KB4493446 – Windows 8.1, Windows Server 2012 R2

KB4493451 – Windows Server 2012

KB4493471 – Windows Server 2008

 

Security Only Update

KB4493448 – Windows 7, Windows Server 2008 R2

KB4493467 – Windows 8.1, Windows Server 2012 R2

KB4493450 – Windows Server 2012

KB4493458 – Windows Server 2008

 

Cumulative Update for Windows 10

KB4493475 – Original release version 1507 (OS Build 10240)

None – Version 1511 (OS Build 10586)

KB4493470 – Version 1607 “Anniversary Update” (OS Build 14393)

KB4493474 – Version 1703 “Creators Update” (OS Build 15063)

KB4493441 – Version 1709 “Fall Creators Update” (OS Build 16299)

KB4493464 – Version 1803 “Spring Creators Update” (OS Build 17134)

KB4493509 – Version 1809 “October 2018 Update” (OS Build 17763)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4493435 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

KB4493478 – Security Update for Adobe Flash Player

 

April 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4495300/april-2019-updates-for-microsoft-office

 

Notable CVEs

CVE-2019-0803 | Win32k Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803

CVE-2019-0859 | Win32k Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.

 

CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0853

A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system.

 

CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0845

A remote code execution vulnerability exists when the IOleCvt interface renders ASP webpage content. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system.

 

CVE-2019-0786 | Hyper-V vSMB Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0786

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate vSMB packet data. An attacker who successfully exploited these vulnerabilities could execute arbitrary code on a target operating system.

 

CVE-2019-0841 | Windows Elevation of Privilege Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context.