Virtual Administrator’s May 2019 Patch Recommendations
This month Microsoft released patches for 79 vulnerabilities with 22 of them rated “Critical”
All May patches have been approved in our patch policy.
This month has one Zero-Day (CVE-2019-0863) for a Windows Error Handling privilege escalation vulnerability which is being exploited. Older Windows versions (Windows 7, Server 2008/2008R2) are vulnerable to a “wormable” security hole in RDP (CVE-2019-0708). Microsoft is so concerned about this they release patches for unsupported versions Windows XP and Server 2003. There is a Remote Code Execution (RCE) vulnerability in Windows DHCP Server (CVE-2019-0725). Security Advisory ADV190013 Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling.
Heads Up! Some customers report that KB4494441 installed twice on their device causing multiple reboots. Slow boot and performance issues with some McAfee anti-virus products. See Know Issues below.
FYI [ADV990001] – New Servicing Stack Updates (SSU) for Windows 10
Disclosed: CVE-2019-0863
Exploited: CVE-2019-0863
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Affected software include:
- Adobe Flash Player
- Microsoft Windows
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Team Foundation Server
- Visual Studio
- Azure DevOps Server
- SQL Server
- .NET Framework
- .NET Core
- ASP.NET Core
- ChakraCore
- Online Services
- Azure
- NuGet
- Skype for Android
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018|Last Updated: 05/14/2019)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001
This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
ADV190012 | May 2019 Adobe Flash Security Update (Published: 05/14/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190012
his security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB19-26: CVE-2019-7837.
ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities (Published: 05/14/2019)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013
On May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling.
An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.
Known Issues per Microsoft
Good resource for known issues with Windows 10 patches. Click on the version in the left column for the status of known issues.
Windows 10 release information
https://docs.microsoft.com/en-us/windows/release-information/
There are a few known issues this month listed below. Microsoft continues to list older known issues in the current KBs. Only new issues are listed. If a machine was not affected by an older know issue, it should not have problems with the new update.
KB4494441 – Cumulative Update for Windows 10 Version 1809 (OS Build 17763)
https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441
Symptom: Some customers report that KB4494441 installed twice on their device. In certain situations, installing an update requires multiple download and restart steps. If two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.
Workaround: No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed.
We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).
Symptom: After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Workaround: Microsoft is working on a resolution and will provide an update as quickly as possible.
KB4498206 – Cumulative Security Update for Internet Explorer 9/10/11
Symptom: This cumulative security update 4498206 for Internet Explorer 10 might be offered for installation through Windows Server Update Services (WSUS) or other update management solutions, even after you install KB4492872 (Internet Explorer 11 for Windows Server 2012 and Windows Embedded 8 Standard) and upgrade to Internet Explorer 11.
Workaround: Although this cumulative security update for Internet Explorer 10 might be offered for installation, this issue will not affect the functionality of Internet Explorer 11. However, you should also install KB4498206 to apply the security fixes that are resolved this month for Internet Explorer 11.
Status: Microsoft is working on a resolution and will provide an update in an upcoming release.
KB4499151 – Security and Quality Rollup for Windows 8.1, Windows Server 2012 R2
https://support.microsoft.com/en-us/help/4499151/windows-8-1-update-kb4499151
Symptom: Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Workaround: We are presently investigating this issue with McAfee.
Guidance for McAfee customers can be found in the following McAfee support articles:
- McAfee Security (ENS) Threat Prevention 10.x
- McAfee Host Intrusion Prevention (Host IPS) 8.0
- McAfee VirusScan Enterprise (VSE) 8.8
Symptom: After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Workaround: Microsoft is working on a resolution and will provide an update as quickly as possible.
KB4499164 – Security and Quality Rollup for Windows 7, Windows Server 2008 R2
https://support.microsoft.com/en-us/help/4499164
Symptom: Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.
Workaround: We are presently investigating this issue with McAfee.
Guidance for McAfee customers can be found in the following McAfee support articles:
- McAfee Security (ENS) Threat Prevention 10.x
- McAfee Host Intrusion Prevention (Host IPS) 8.0
- McAfee VirusScan Enterprise (VSE) 8.8
Security and Quality Rollup
KB4499164 – Windows 7, Windows Server 2008 R2
KB4499151 – Windows 8.1, Windows Server 2012 R2
KB4499171 – Windows Server 2012
KB4499149 – Windows Server 2008
Security Only Update
KB4499175 – Windows 7, Windows Server 2008 R2
KB4499165 – Windows 8.1, Windows Server 2012 R2
KB4499158 – Windows Server 2012
KB4499180 – Windows Server 2008
Cumulative Update for Windows 10
KB4499154 – Original release version 1507 (OS Build 10240)
None – Version 1511 (OS Build 10586)
KB4494440 – Version 1607 “Anniversary Update” (OS Build 14393)
KB4499181 – Version 1703 “Creators Update” (OS Build 15063)
KB4499179 – Version 1709 “Fall Creators Update” (OS Build 16299)
KB4497398 – Version 1803 “Spring Creators Update” (OS Build 17134)
KB4494441 – Version 1809 “October 2018 Update” (OS Build 17763)
Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.
KB4498206 – Cumulative Security Update for Internet Explorer 9/10/11
This cumulative update is included in the monthly updates listed above. It can be installed instead of the monthly to secure Internet Explorer otherwise it is “superseded” by the monthly update.
KB4497932 – Security Update for Adobe Flash Player
May 2019 updates for Microsoft Office
https://support.microsoft.com/en-us/help/4501270/may-2019-updates-for-microsoft-office
Notable CVEs
CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability (Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
CVE-2019-0725 | Windows DHCP Server Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0725
A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.
To exploit the vulnerability, a remote unauthenticated attacker could send a specially crafted packet to an affected DHCP server.
The security update addresses the vulnerability by correcting how DHCP servers handle network packets.
CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863
An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges.
To exploit the vulnerability, an attacker must first gain unprivileged execution on a victim system.
The security update addresses the vulnerability by correcting the way WER handles files.
CVE-2019-0881 | Windows Kernel Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0881
An elevation of privilege vulnerability exists when the Windows Kernel improperly handles key enumeration. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system.
A locally authenticated attacker could exploit this vulnerability by running a specially crafted application.
The security update addresses the vulnerability by helping to ensure that the Windows Kernel properly handles key enumeration.
CVE-2019-0903 | GDI+ Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0903
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerability:
- In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message.
- In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.
The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
CVE-2019-0953 | Microsoft Word Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0953
A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.
The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.
