This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, ColdFusion, and Creative Cloud.
Workstation Patches
Browser, Scripting Engine, and GDI+ patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Exchange
In late January, a 0-day exploit was announced for Microsoft Exchange. This exploit uses several known vulnerabilities in both Exchange and Active Directory. Exploitation allows an attacker to escalate their privileges to Domain Admin. Last week, Microsoft posted an advisory regarding this exploit, which gives some ways to mitigate the vulnerabilities. However, two updates were released today (CVE-2019-0686 and CVE-2019-0724) that supersede the suggested mitigation, and should be highly prioritized for any Exchange environments.
SharePoint
The two SharePoint vulns (CVE-2019-0594 and CVE-2019-0604) allow a malicious user to execute code in the context of the SharePoint application pool and the SharePoint server farm account. While the malicious user would need special rights to perform this action, this patch should be treated as high priority for any SharePoint servers.
DHCP
One vulnerability applies to Windows DHCP Server. It is ranked as Critical and can lead to Remote Code Execution. Any attacker who can send packets to a DHCP server can exploit this vulnerability. This patch should be prioritized for any Windows DHCP implementations.
Adobe Patches
Adobe also released patches for Acrobat/Reader, Flash, ColdFusion, and Creative Cloud. The Acrobat/Reader patches addresses 71 CVEs, and should be deployed to any systems running this software.
The Flash patch is ranked as Important and labeled as an Out-of-bounds Read Information Disclosure by Adobe, but Microsoft ranks it Critical and labels it with Remote Code Execution. The CVE (CVE-2019-7090) matches, though the Microsoft bulletin links to a non-existent Adobe bulletin at the time of this writing.
The ColdFusion patch addresses two vulns, with one of them ranked as Critical. This is a Java deserialization vulnerability that should be deployed as soon as possible, as exploitation can lead to remote code execution. Additional steps may be required after deploying the update.
Executive Summary
- Microsoft released security updates for all supported versions of Microsoft Windows.
- The following Microsoft products received security updates as well: Microsoft Edge, Internet Explorer, Microsoft Office, .NET Framework, Microsoft Exchange Server, Microsoft Visual Studio, Azure IoT SDK, Microsoft Dynamics, Team Foundation Server, Visual Studio Code
- Microsoft released Servicing Stack Updates for supported versions of Windows.
Operating System Distribution
- Windows 7: 24 vulnerabilities of which 3 are rated critical and 21 are rated important.
- Windows 8.1: 25 vulnerabilities of which 3 are rated critical and 22 are rated important.
- Windows 10 version 1607: 28 vulnerabilities of which 3 are critical and 25 are important
- Windows 10 version 1703: 28 vulnerabilities of which 3 are critical and 25 are important
- Windows 10 version 1709: 29 vulnerabilities of which 3 are critical and 26 are important
- Windows 10 version 1803: 29 vulnerabilities of which 3 are critical and 26 are important
- Windows 10 version 1809: 28 vulnerabilities of which 3 are critical and 25 are important
Windows Server products
- Windows Server 2008 R2: 24 vulnerabilities of which 3 are critical and 21 are important.
- Windows Server 2012 R2: 25 vulnerabilities of which 3 are critical and 23 are important.
- Windows Server 2016: 28 vulnerabilities of which 3 are critical and 25 are important.
- Windows Server 2019: 28 vulnerabilities of which 3 are critical and 25 are important.
Other Microsoft Products
- Internet Explorer 11: 3 vulnerability, 1 critical, 2 important
- Microsoft Edge: 21 vulnerabilities, 14 critical, 5 important, 2 moderate
Known Issues
Windows 7, Windows 8.1
- Virtual Machines may fail to restore successfully after installing the update on AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) architectures.
- Workaround: Shut down of virtual machines before restarting the host.
Windows 10 version 1607 and Server 2016
- Lenovo laptops with less than 8 GB of RAM may fail to start.
- Workaround: Disable Secure Boot on the PC. If BitLocker is installed, you may need to use BitLocker Recovery.
- The cluster service may fail to start after installing KB4467684.
- Workaround: Set Minimum Password Length policy to “less than or equal to 14 characters”.
- SCVMM hosts may not be able to enumerate and manage logical switches deployed on the host.
- Workaround: Run mofcomp on Scvmmswitchportsettings.mof and VMMDHCPSvr.mof.
Windows 10 version 1803
- Some users may not be able to pin web links on the Start menu or taskbar.
- Workaround: none
- Also, same local IP connecting issue as Windows 10 version 1809.
Windows 10 version 1703, 1709, 1809
- Some users may not be able to load webpages using local IP addresses after installing KB4480116.
- Workaround: Add the local IP address to the list of sites in the Trusted Zone.
Direct update downloads
The following links point to the Microsoft Update Catalog website where you can download the updates as standalone files.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4486563 — 2019-02 Security Monthly Quality Rollup for Windows 7
- KB4486564 — 2019-02 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4487000 — 2019-02 Security Monthly Quality Rollup for Windows 8.1
- KB4487028 — 2019-02 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4487026 — 2019-02 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4487020 — 2019-02 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709
- KB4486996 — 2019-02 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4487017 — 2019-02 Cumulative Update for Windows 10 Version 1803
Windows 10 (version 1809)
- KB4487044 — 2019-02 Cumulative Update for Windows 10 Version 1809