Microsoft Security Updates: February 2019

This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, ColdFusion, and Creative Cloud.

Workstation Patches

Browser, Scripting Engine, and GDI+ patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Exchange

In late January, a 0-day exploit was announced for Microsoft Exchange. This exploit uses several known vulnerabilities in both Exchange and Active Directory. Exploitation allows an attacker to escalate their privileges to Domain Admin. Last week, Microsoft posted an advisory regarding this exploit, which gives some ways to mitigate the vulnerabilities. However, two updates were released today (CVE-2019-0686 and CVE-2019-0724) that supersede the suggested mitigation, and should be highly prioritized for any Exchange environments.

SharePoint

The two SharePoint vulns (CVE-2019-0594 and CVE-2019-0604) allow a malicious user to execute code in the context of the SharePoint application pool and the SharePoint server farm account. While the malicious user would need special rights to perform this action, this patch should be treated as high priority for any SharePoint servers.

DHCP

One vulnerability applies to Windows DHCP Server. It is ranked as Critical and can lead to Remote Code Execution. Any attacker who can send packets to a DHCP server can exploit this vulnerability. This patch should be prioritized for any Windows DHCP implementations.

Adobe Patches

Adobe also released patches for Acrobat/Reader, Flash, ColdFusion, and Creative Cloud. The Acrobat/Reader patches addresses 71 CVEs, and should be deployed to any systems running this software.

The Flash patch is ranked as Important and labeled as an Out-of-bounds Read Information Disclosure by Adobe, but Microsoft ranks it Critical and labels it with Remote Code Execution. The CVE (CVE-2019-7090) matches, though the Microsoft bulletin links to a non-existent Adobe bulletin at the time of this writing.

The ColdFusion patch addresses two vulns, with one of them ranked as Critical. This is a Java deserialization vulnerability that should be deployed as soon as possible, as exploitation can lead to remote code execution. Additional steps may be required after deploying the update.

Executive Summary

Microsoft released security updates for all supported versions of Microsoft Windows.
The following Microsoft products received security updates as well: Microsoft Edge, Internet Explorer, Microsoft Office, .NET Framework, Microsoft Exchange Server, Microsoft Visual Studio, Azure IoT SDK, Microsoft Dynamics, Team Foundation Server, Visual Studio Code
Microsoft released Servicing Stack Updates for supported versions of Windows.

Operating System Distribution

Windows 7: 24 vulnerabilities of which 3 are rated critical and 21 are rated important.
Windows 8.1: 25 vulnerabilities of which 3 are rated critical and 22 are rated important.
Windows 10 version 1607: 28 vulnerabilities of which 3 are critical and 25 are important
Windows 10 version 1703: 28 vulnerabilities of which 3 are critical and 25 are important
Windows 10 version 1709: 29 vulnerabilities of which 3 are critical and 26 are important
Windows 10 version 1803: 29 vulnerabilities of which 3 are critical and 26 are important
Windows 10 version 1809: 28 vulnerabilities of which 3 are critical and 25 are important

Windows Server products

Windows Server 2008 R2: 24 vulnerabilities of which 3 are critical and 21 are important.
Windows Server 2012 R2: 25 vulnerabilities of which 3 are critical and 23 are important.
Windows Server 2016: 28 vulnerabilities of which 3 are critical and 25 are important.
Windows Server 2019: 28 vulnerabilities of which 3 are critical and 25 are important.

Other Microsoft Products

Internet Explorer 11: 3 vulnerability, 1 critical, 2 important
Microsoft Edge: 21 vulnerabilities, 14 critical, 5 important, 2 moderate

Known Issues

Windows 7, Windows 8.1

Virtual Machines may fail to restore successfully after installing the update on AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) architectures.
- Workaround: Shut down of virtual machines before restarting the host.

Windows 10 version 1607 and Server 2016

Lenovo laptops with less than 8 GB of RAM may fail to start.
- Workaround: Disable Secure Boot on the PC. If BitLocker is installed, you may need to use BitLocker Recovery.
The cluster service may fail to start after installing KB4467684.
- Workaround: Set Minimum Password Length policy to "less than or equal to 14 characters".
SCVMM hosts may not be able to enumerate and manage logical switches deployed on the host.
- Workaround: Run mofcomp on Scvmmswitchportsettings.mof and VMMDHCPSvr.mof.

Windows 10 version 1803

Some users may not be able to pin web links on the Start menu or taskbar.
- Workaround: none
Also, same local IP connecting issue as Windows 10 version 1809.

Windows 10 version 1703, 1709, 1809

Some users may not be able to load webpages using local IP addresses after installing KB4480116.
- Workaround: Add the local IP address to the list of sites in the Trusted Zone.

Direct update downloads

The following links point to the Microsoft Update Catalog website where you can download the updates as standalone files.

Windows 7 SP1 and Windows Server 2008 R2 SP

KB4486563 -- 2019-02 Security Monthly Quality Rollup for Windows 7
KB4486564 -- 2019-02 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

KB4487000 -- 2019-02 Security Monthly Quality Rollup for Windows 8.1
KB4487028 -- 2019-02 Security Only Quality Update for Windows 8.1

Windows 10 and Windows Server 2016 (version 1607)

KB4487026 -- 2019-02 Cumulative Update for Windows 10 Version 1607

Windows 10 (version 1703)

KB4487020 -- 2019-02 Cumulative Update for Windows 10 Version 1703

Windows 10 (version 1709

KB4486996 -- 2019-02 Cumulative Update for Windows 10 Version 1709

Windows 10 (version 1803)

KB4487017 -- 2019-02 Cumulative Update for Windows 10 Version 1803

Windows 10 (version 1809)

KB4487044 -- 2019-02 Cumulative Update for Windows 10 Version 1809

Microsoft Security Updates: February 2019

Categories

Labtech

ConnectWise Automate on Linux – Best Practices

ConnectWise Automate Maintenance Mode Explained Best Practice

Uninstalling and Offboarding Automate Agents

How to Set Up Automate users to use ConnectWise SSO

Windows 10 Build Upgrades are Inevitable - Use Kaseya/ConnectWise Automate to Deploy

Best Practice Naming of Patching Groups

Automate 12 Patch 9 Now Available!

5 Tips for using the Report Center

Automate 12 Patch 8 Now Available!

Automate 12 Patch 7 Available for Download

Business Continuity

Proactive Maintenance

Kaseya

Security Best Practices for Kaseya VSA

Kaseya VSA: Software Management vs. Patch Management

Software Management Enhancements

Two-Factor Authentication in Kaseya VSA

Windows 7 & Windows 10 Multiple Builds End of Life – Upgrade Using Kaseya or ConnectWise Automate

Kaseya Network Monitor: Benefits & Features

Kaseya Patch 9.5.0.22 and Future Updates

Kaseya's New State-of-the-Art Contemporary User Interface

Kaseya Product Release - April '19

Kaseya Software Management Module

Datto

Creating & Implementing a Disaster Recovery Plan

Disaster Recovery – Minimizing Impact of Downtime

Updating a Datto Device

Datto Agent Communication Errors

Datto

StorageCraft

Get in touch today for MSP Centralized Services