Virtual Administrator’s August 2019 Patch Recommendations

This month Microsoft released patches for 94 vulnerabilities with 29 rated “Critical” and 65 as “Important”.

 

All August patches have been approved in our patch policy.

 

Lots of patches this month but few known issues associated with them.  There has been a lot of press about newly disclosed “BlueKeep-like” Remote Desktop Services vulnerabilities (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226). While this is considered “wormable” apparently no one has figured out how to exploit that aspect of it yet. So this is a big deal but it’s not an immediate threat. All are included in the Cumulative Update/Monthly Rollup.

There are 2 (RCE) vulnerabilities (CVE-2019-0720 and CVE-2019-0965) patched in Hyper-V and Hyper-V Network Switch.  Another RCE in Microsoft Windows LNK is considered wormable (CVE-2019-1188). RCE vulnerabilities in DHCP are also patched. Again all are included in the Cumulative Update/Monthly Rollup.

For the second month in a row there is no Adobe Flash Player patch.

Microsoft released new guidance for LDAP on Active Directory domain controllers (ADV190023) – see “Security Advisories” below.

 

Heads Up! Symantec Endpoint Protection users. There is issue where the Monthly Rollup for Windows 7/2008R2 may not show as needed.  See “Known Issues” below.

 

Reminder: Microsoft is withdrawing support for Windows 7 and Windows Server 2008 R2 from January 14, 2020.

 

Disclosed: None

Exploited: None

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • ChakraCore
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Visual Studio
  • Online Services
  • Active Directory
  • Microsoft Dynamics

 

Microsoft Security Advisories

 

ADV190009 | SHA-2 Code Sign Support Advisory (Published: 03/12/2019|Last Updated: 08/13/2019)

Microsoft is announcing the release of SHA-2 code sign support for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

Please see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS for more information.

 

ADV190014 | Microsoft Live Accounts Elevation of Privilege Vulnerability (Published: 08/13/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190014

An elevation of privilege vulnerability exists in Outlook Web Access (OWA) regarding a possible unsigned token. An attacker who successfully exploited this vulnerability could have access to another person’s email inbox.

To exploit this vulnerability, an attacker would first have to replace an unsigned token with a different one.

This vulnerability has been mitigated for all users’ Microsoft Live accounts.

 

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing (Published: 08/13/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities.

This advisory addresses the issue by recommending a new set of safe default configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers that supersedes the original unsafe configuration.

 

Known Issues per Microsoft

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Microsoft is reporting only one new known issues this month that affects Visual Basic 6. It is listed in all the cumulative/rollup patches.

Again Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will now.

 

Visual Basic – VB, VBA and VBScript

Symptom: After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

Workaround: None

Status: Microsoft is presently investigating this issue and will provide an update when available.

 

Known Issues reported from outside sources

 

Symantec Endpoint Protection

Windows 7/Windows 2008 R2 updates that are only SHA-2 signed are not available with Symantec Endpoint Protection installed

https://support.symantec.com/us/en/article.tech255857.html

“Microsoft KB4512506/KB4512486 is not visible as an available download with currently available versions of Symantec Endpoint Protection 14.x/12.1.x installed.”

 

Outlook 365

KB4512508 (Cumulative Update for Windows 10 Version 1903) may cause Outlook 365 to get stuck on loading profile. Uninstalling KB4512508 corrects the issue.

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB4512506 – Windows 7, Windows Server 2008 R2
  • KB4512488 – Windows 8.1, Windows Server 2012 R2
  • KB4512518 – Windows Server 2012
  • KB4512476 – Windows Server 2008

 

Security Only Update

  • KB4512486 – Windows 7, Windows Server 2008 R2
  • KB4512489 – Windows 8.1, Windows Server 2012 R2
  • KB4512482 – Windows Server 2012
  • KB4512491 – Windows Server 2008

 

Cumulative Update for Windows 10

  • KB4512497 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB4512517 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB4512507 – Version 1703 “Creators Update” (OS Build 15063)
  • KB4512516 – Version 1709 “Fall Creators Update” (OS Build 16299)
  • KB4512501 – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB4511553 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB4512508 – Version 1903 “May 2019 Update” (OS Build 18362)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4511872 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

none – Security Update for Adobe Flash Player

 

August 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4514418/august-2019-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2019-0720 | Hyper-V Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0720

A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Windows Hyper-V Network Switch validates guest operating system network traffic.

 

CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0736

A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.

To exploit the vulnerability, an attacker could send specially crafted DHCP responses to a client.

The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.

 

CVE-2019-0965 | Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0965

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.

 

CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181

CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

 

CVE-2019-1188 | LNK Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1188 (Cumulative Update)

A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.

The security update addresses the vulnerability by correcting the processing of shortcut LNK references.

 

CVE-2019-1223 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1223

A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding.

To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services.

The update addresses the vulnerability by correcting how RDP handles connection requests.

 

CVE-2019-1224 | Remote Desktop Protocol Server Information Disclosure Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224

CVE-2019-1225 | Remote Desktop Protocol Server Information Disclosure Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225

An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system.

To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.