Virtual Administrator’s March 2019 Patch Recommendations
This month Microsoft released patches for 65 vulnerabilities with 18 of them rated “Critical”, 45 “Important”, 1 “Moderate” and 1 “Low”.
All March patches have been approved in our patch policy.
Fewer patches this month but 2 zero-day fixes. Last week Chrome released a patch for a zero-day exploit (CVE-2019-5786). That patch brought Chrome to 72.0.3626.121. Microsoft just released a patch for a separate flaw (CVE-2019-0808) targeting Windows 7/Server 2008 which is being used as part of the same attacks. A second zero-day vulnerability (CVE-2019-0797) was reported by Kaspersky Lab is being exploited to install malicious software using an elevation of privilege (EoP) flaw. For the third month in a row Microsoft has released patches to fix critical flaws in the Windows DHCP client (CVE-2019-0697,CVE-2019-0698,CVE-2019-0726).
There are 3 types of known issues affecting most machines as well as a number of Security Advisories.
Heads Up! SHA-2 code signing support
Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019.
2019 SHA-2 Code Signing Support requirement for Windows and WSUS
FYI – New Servicing Stack Updates (SSU) for Windows 7 and Server 2008R2 KB4490628 (ADV990001)
Notable News – Windows 10 version 1903 should be released within the next few weeks.
Disclosed: CVE-2019-0683, CVE-2019-0754, CVE-2019-0757, and CVE-2019-0809.
Exploited: CVE-2019-0797, CVE-2019-0808
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office SharePoint
- ChakraCore
- Team Foundation Server
- Skype for Business
- Visual Studio
- NuGet
Microsoft Security Advisories
ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames (Published: 02/20/2019|Last Updated: 03/12/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190005
Executive Summary
Microsoft is aware of a potential condition which can be triggered when malicious HTTP/2 requests are sent to a Windows Server with the http.sys service enabled. This could temporarily cause the system CPU usage to spike to 100% until the malicious connections are killed by http.sys.
The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed.
To address this issue, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the system administrator. They are not preset by Microsoft.
Recommended Actions
- Install the February non-security update.
- Customers should review Knowledge Base Article 4491420 and take appropriate action.
ADV190008 | March 2019 Adobe Flash Security Update (Published: 03/12/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190008
This security update addresses minor security fixes, which are described in Adobe Security Bulletin APSB19-12 (https://helpx.adobe.com/security/products/flash-player/apsb19-12.html).
ADV190009 | SHA-2 Code Sign Support Advisory (Published: 03/12/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190009
Microsoft is announcing the release of SHA-2 code sign support for Windows 7 SP1, and Windows Server 2008 R2 SP1.
Please see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS for more information.
ADV190010 | Best Practices Regarding Sharing of a Single User Account Across Multiple Users (Published: 03/12/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190010
Microsoft strongly recommends customers avoid the use of a ‘common’ or ‘shared’ Windows logon account. A single user account should never be shared amongst different users. This is especially true when users are logging into the same physical machine. Customers who have solutions designed this way are encouraged to engage their solution vendors for assistance in configuring their product to support independent user accounts.
Microsoft considers the practice of sharing the same user account with multiple users a significant security risk. There is no security boundary between sessions using the same user account on the same Windows client or server.
ADV990001 | Latest Servicing Stack Updates(Published: 11/13/2018|Last Updated: 03/12/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
This is a list of the latest servicing stack updates for each operating sytem. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
Known Issues per Microsoft:
Microsoft lists 9 KBs with known issues and all have one or more of the 3 listed here.
Applies to: KB4489873, KB4489878, KB4489881
Symptom: After installing this security update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.
Workaround: Right-click the URL link to open it in a new window or tab.
Microsoft is working on a resolution and will provide an update in an upcoming release.
Applies to: KB4489878, KB4489882, KB4489883, KB4489884, KB4489885, KB4489891, KB4489899
Symptom: After installing this update, Internet Explorer 10 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
- Cache size and location show zero or empty.
- Keyboard shortcuts may not work properly.
- Webpages may intermittently fail to load or render correctly.
- Issues with credential prompts.
- Issues when downloading files.
Workaround: Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.
Microsoft is working on a resolution and will provide an update in an upcoming release.
Applies to: KB4489881, KB4489883, KB4489884, KB4489891, KB4489899
Symptom: After installing this update, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Group Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a Group Policy Preference for Internet Settings.
Workaround: Microsoft is working on a resolution and will provide an update in an upcoming release.
Details and Links
KB4489873 for Internet Explorer
Custom URI Schemes
KB4489878 for Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4489878/windows-7-update-kb4489878
Custom URI Schemes
Internet Explorer 10 may have authentication issues.
KB4489881 for Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4489881/windows-8-1-update-kb4489881
Custom URI Schemes
Internet Explorer 11 may have authentication issues.
MSXML6 causes applications to stop
KB4489882 for Windows 10 version 1607, Windows Server 2016
https://support.microsoft.com/en-us/help/4489882/windows-10-update-kb4489882
Custom URI Schemes
Internet Explorer 11 may have authentication issues.
2 Additional Issues
KB4489883 for Windows 8.1, Windows Server 2012 R2 (Security-only update)
https://support.microsoft.com/en-us/help/4489883/windows-8-1-update-kb4489883
Internet Explorer 11 may have authentication issues.
MSXML6 causes applications to stop
KB4489884 for Windows Server 2012 (Security-only update)
https://support.microsoft.com/en-us/help/4489884/windows-server-2012-update-kb4489884
Internet Explorer 10 may have authentication issues.
MSXML6 causes applications to stop
KB4489885 for Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)
https://support.microsoft.com/en-us/help/4489885/windows-7-update-kb4489885
Internet Explorer 10 may have authentication issues.
KB4489891 for Windows Server 2012 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4489891/windows-server-2012-update-kb4489891
Internet Explorer 10 may have authentication issues.
MSXML6 causes applications to stop
KB4489899 for Windows 10 version 1809, Windows Server 2019
https://support.microsoft.com/en-us/help/4489899/windows-10-update-kb4489899
Internet Explorer 11 may have authentication issues.
MSXML6 causes applications to stop
1 Additional Issue
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
KB4489878 – Windows 7, Windows Server 2008 R2
KB4489881 – Windows 8.1, Windows Server 2012 R2
KB4489891 – Windows Server 2012
KB4489880 – Windows Server 2008
Security Only Update
KB4489885 – Windows 7, Windows Server 2008 R2
KB4489883 – Windows 8.1, Windows Server 2012 R2
KB4489884 – Windows Server 2012
KB4489876 – Windows Server 2008
Cumulative Update for Windows 10
KB4489872 – Original release version 1507 (OS Build 10240)
None – Version 1511 (OS Build 10586)
KB4489882 – Version 1607 “Anniversary Update” (OS Build 14393)
KB4489871 – Version 1703 “Creators Update” (OS Build 15063)
KB4489886 – Version 1709 “Fall Creators Update” (OS Build 16299)
KB4489868 – Version 1803 “Spring Creators Update” (OS Build 17134)
KB4489899 – Version 1809 “October 2018 Update” (OS Build 17763)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
KB4489873 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
.NET Framework
KB4486553 Cumulative Update for .NET Framework 3.5 and 4.7.2 for Windows 10, version 1809 and Windows Server 2019
KB4489907 – Security Update for Adobe Flash Player
March 2019 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4491754/march-2019-updates-for-microsoft-office
Notable CVEs
CVE-2019-0808 | Win32k Elevation of Privilege Vulnerability (Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
CVE-2019-0797 | Win32k Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0797
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.
CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0697
Security Vulnerability
Published: 03/12/2019
MITRE CVE-2019-0697
A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.
To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client.
The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.
CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0698
A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.
To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client.
The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.
CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability (Cumulative Update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0726
Security Vulnerability
Published: 03/12/2019
MITRE CVE-2019-0726
A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.
To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client.
The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.
CVE-2019-0763 | Internet Explorer Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup/IE Cumulative)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0763
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.
The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.
