This month’s Patch Tuesday is medium in size, with 47 vulnerabilities covered and only 7 labeled as Critical. Twenty-six of the vulns apply to Windows Servers and Workstation operating systems. Two of the Critical apply to Hyper-V and could lead to RCE on the host system. Microsoft also issued and out-of-band patch in December for Internet Explorer 9 through 11 due to active attacks in the wild. Last week, Adobe also released out-of-band patches for Acrobat and Reader covering two Critical vulns.
Workstation Patches
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Four of the 7 critical vulns are for Chakra / Microsoft Edge and should be prioritized for these types of systems.
Out-of-band IE Patch
On December 19, Microsoft issued an out-of-band patch (CVE-2018-8653) for Internet Explorer 9 through 11 due to targeted active attacks against this vulnerability that were discovered in the wild. This patch should also be prioritized to all workstation-type devices.
Hyper-V
Two of the vulns apply to Hyper-V, and could potentially lead to a VM escape. Microsoft does label these as “Exploitation Less Likely,” but Hyper-V hosts should still have these Critical patches prioritized.
Adobe Patches
Adobe released patches for Flash, but they do not contain security updates. However, security patches were released for Adobe Digital Editions and Adobe Connect, covering two Important CVEs. In addition, patches were released out-of-band last week for Acrobat and Reader, covering two Critical CVEs. These patches should be prioritized for workstation-type devices.
Executive Summary
- Microsoft released security updates for all client and server versions of Windows.
- No critical vulnerabilities in Windows 8.1 and 7.
- Microsoft released security updates for Microsoft Edge, Internet Explorer, Adobe Flash Player, .NET Framework, Microsoft Office, Microsoft Exchange Server, and Microsoft Visual Studio
- Windows 10 version 1809 is in active distribution.
Operating System Distribution
- Windows 7: 15 vulnerabilities of which 15 are rated important.
- Windows 8.1: 18 vulnerabilities of which 18 are rated important.
- Windows 10 version 1607: 23 vulnerabilities of which 1 is critical and 22 are important
- Windows 10 version 1703: 24 vulnerabilities of which 1 is critical and 23 are important
- Windows 10 version 1709: 24 vulnerabilities of which 1 is critical and 23 are important
- Windows 10 version 1803: 26 vulnerabilities of which 3 are critical and 23 are important
- Windows 10 version 1809: 25 vulnerabilities of which 2 are critical and 23 are important
Windows Server products
- Windows Server 2008 R2: 15 vulnerabilities of which 15 are important.
- Windows Server 2012 R2: 18 vulnerabilities of which 18 are important.
- Windows Server 2016: 23 vulnerabilities of which 1 is critical and 22 are important.
- Windows Server 2019: 25 vulnerabilities of which 2 are critical and 23 are important.
Other Microsoft Products
- Internet Explorer 11: 2 vulnerability, 1 critical, 1 important
- Microsoft Edge: 5 vulnerabilities, 4 critical, 1 important
Known Issues
Windows 10 version 1809 -- KB4480116 : Third-party applications may have difficulty authentication hotspots.
Windows 10 version 1803 -- KB4480966
- Same as Windows 10 version 1709
- Some users may not be able to pin web links to the Start Menu or Taskbar.
- After installing KB4467682, the cluster service may fail with 2245 (NERR_PasswordTooShort) if the Minimum Password Length policy is set to a value greater than 14 characters.
Windows 10 version 1709 -- KB4480978
Windows 10 version 1703 -- KB4480973
- Third-party applications may have difficulty authentication hotspots.
- Instantiation of SQL connection can throw an exception.
Windows 10 version 1607 -- KB4480961
- Same as Windows 10 version 1709
- After installation of KB4467691, Windows may not start on "certain" Lenovo devices with less than 8 Gigabytes of RAM.
- After installing KB4467684, the cluster service may fail with 2245 (NERR_PasswordTooShort) if the Minimum Password Length policy is set to a value greater than 14 characters.
- After installation of the update on Windows Server 2016, Outlook instant searches may fail with "Outlook cannot perform the search".
- System Center Virtual Machine Manager (SCVMM) managed workloads are noticing infrastructure management issues after VMM refresh as the Windows Management Instrumentation (WMI) class around network port is being unregistered on Hyper-V hosts.
Windows 8.1 -- KB4480963
- Third-party applications may have difficulty authentication hotspots.
Windows 7 -- KB4480116
- Third-party applications may have difficulty authentication hotspots.
Direct update downloads
Microsoft publishes all cumulative security updates and other updates on the Microsoft Update Catalog website.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4480970 -- 2019-01 Security Monthly Quality Rollup for Windows 7
- KB4480960 -- 2019-01 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4480963 -- 2019-01 Security Monthly Quality Rollup for Windows 8.1
- KB4480964 -- 2019-01 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4480961 -- 2019-01 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4480973 -- 2019-01 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
- KB4480978 -- 2019-01 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4480966 -- 2019-01 Cumulative Update for Windows 10 Version 1803
Windows 10 (version 1809)
- KB4480116 -- 2019-01 Cumulative Update for Windows 10 Version 1809