Virtual Administrator’s December 2019 Patch Recommendations

This month Microsoft released patches for 36 vulnerabilities with 7 rated “Critical” and 28 as “Important”.

All other December patches have been approved in our patch policy. (Note: Denied Office patches from last month have been approved- see below.)

Only one vulnerability in core Windows component (Win32k) is currently known to be exploited (CVE-2019-1458). A remote code execution vulnerability (CVE-2019-1471) is patched in Hyper-V. There are new Servicing Stack Updates (SSU) for Windows 7 and Server 2008/2008R2/2012. No Adobe Flash Player patch this month and one new Security Advisory.

 

Approved Office patches from November – KB3085368, KB4484113, KB4484119, and KB4484127

Last month we denied these Office patches affecting Access. Microsoft has fixed the problem with another patch. Those patches are not part of the Window Updates and need to be manually installed. Details are below. You only need to apply the fix if users are seeing the error. These are not security patches

 

Access error: “Query is corrupt”

https://support.office.com/en-us/article/access-error-query-is-corrupt-fad205a5-9fd4-49f1-be83-f21636caedec

ISSUE: When attempting to run an Update query, it may not run and displays the error: “Query ‘query name’ is corrupt”.

 

Heads Up! In the Windows 7 KB4530734 Monthly Rollup, Microsoft has pushed out a new version of the EOSnotify.exe program that will display an alert “Your Windows 7 PC is out of support” and why users should upgrade to Windows 10.

Windows 7 and Windows Server 2008 will stop receiving security updates after the next month’s first Patch Tuesday on January 14, 2020.

 

FYI – In November (KB4523786) and December (KB4532441) Microsoft released an update for Windows 10 1903/1909 Autopilot. In both cases they pulled the patch shortly after as it was being offered to machines without AutoPilot.

Cumulative update for Autopilot in Windows 10

https://support.microsoft.com/en-us/help/4532441/cumulative-update-for-autopilot-in-windows-10-versions-1903-1909

“This update was available through Windows Update. However, we have removed it because it was being offered incorrectly. When an organization registers or configures a device for Windows Autopilot deployment, the device setup automatically updates Windows Autopilot to the latest version.”

 

Notable News – CVE-2019-1489 is an RDP vulnerability in Microsoft Windows XP SP3. However, they did not release a patch for it. This is the first time we have seen where Microsoft documented a vulnerability but offer no fix or workaround.

 

Disclosed: None

Exploited: CVE-2019-1458

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Security update deployment information: December 10, 2019

https://support.microsoft.com/en-us/help/20191210/security-update-deployment-information-december-10-2019

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Affected software include:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Office, Office Services and Web Apps
  • SQL Server
  • Visual Studio
  • Skype for Business

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:11/13/2019)

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

Reason for Revision: A Servicing Stack Update has been released for all supported versions of Windows.

 

ADV190026 | Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business (Published: 12/03/2019)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190026

Microsoft is aware of an issue in Windows Hello for Business (WHfB) with public keys that persist after a device is removed from Active Directory, if the AD exists.

 

Known Issues

 

Microsoft is reporting only one new known issue this month that affects Office 2013/2016 products

Symptom: You may receive the following error message when you open a file that is protected by Information Rights Management:

This application is not trusted to consume rights managed content. The Authenticode signature for the application is not valid. Contact your administrator for further investigation.

Resolution: This issue is fixed with patches that were released on April 4, 2017. Your machine should already have it installed.

 

KB4484190 Excel 2013

KB4461590 PowerPoint 2013

KB4484094 Word 2013

To resolve this issue, install Office update 3172523.

April 4, 2017, update for Office 2013 (KB3172523)

https://support.microsoft.com/en-us/help/3172523/april-4-2017-update-for-office-2013-kb3172523

 

KB4484179 Excel 2016

KB4484166 PowerPoint 2016

KB4484169 Word 2016

To resolve this issue, install Office update 3178666.

April 4, 2017, update for Office 2016 (KB3178666)

https://support.microsoft.com/en-us/help/3178666/april-4-2017-update-for-office-2016-kb3178666

 

Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.

Windows 10 release information

https://docs.microsoft.com/en-us/windows/release-information/

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

KB4530734 – Windows 7, Windows Server 2008 R2

KB4530702 – Windows 8.1, Windows Server 2012 R2

KB4530691 – Windows Server 2012

KB4530695 – Windows Server 2008

 

Security Only Update

KB4530692 – Windows 7, Windows Server 2008 R2

KB4530730 – Windows 8.1, Windows Server 2012 R2

KB4530698 – Windows Server 2012

KB4530719 – Windows Server 2008

 

Cumulative Update for Windows 10

KB4530681 – Original release version 1507 (OS Build 10240)

None – Version 1511 (OS Build 10586)

KB4530689 – Version 1607 “Anniversary Update” (OS Build 14393)

KB4530711 – Version 1703 “Creators Update” (OS Build 15063)

KB4530714 – Version 1709 “Fall Creators Update” (OS Build 16299)

KB4530717 – Version 1803 “Spring Creators Update” (OS Build 17134)

KB4530715 – Version 1809 “October 2018 Update” (OS Build 17763)

KB4530684 – Version 1903 “May 2019 Update” (OS Build 18362)

KB4530684 – Version 1909 “November 2019 Update” (OS Build 18363)

 

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

 

KB4530677 – Cumulative Security Update for Internet Explorer 9/10/11

This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.

 

None – Security Update for Adobe Flash Player

 

December 2019 updates for Microsoft Office

https://support.microsoft.com/en-us/help/4532624/december-2019-updates-for-microsoft-office

 

Notable CVEs

 

CVE-2019-1458 | Win32k Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

 

CVE-2019-1468 | Win32k Graphics Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are multiple ways an attacker could exploit this vulnerability.

 

CVE-2019-1471 | Windows Hyper-V Remote Code Execution Vulnerability (Cumulative Update)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1471

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

 

CVE-2019-1489 | Remote Desktop Protocol Information Disclosure Vulnerability (None)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1489

An information disclosure vulnerability exists when the Windows Remote Desktop Protocol (RDP) fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.