This month’s Patch Tuesday addresses 65 vulnerabilities, with 18 of them labeled as Critical. Thirteen of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office. Three remote code execution (RCE) vulnerabilities are patched in the Windows DHCP Client, as well as an RCE vuln in Windows Deployment Services TFTP Server and Privilege Escalation in Microsoft Dynamics 365. Adobe’s release is light, with only two CVEs patched in Photoshop CC and Digital Editions.
Workstation Patches
Browser, Scripting Engine, ActiveX, and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Windows DHCP Client
The Windows DHCP Client is used across workstations and servers. Deployment of patches to cover the three RCE vulnerabilities should be prioritized for all Windows systems.
Windows Deployment Services TFTP Server
If you are using Windows Deployment Services, this patch should be prioritized, as exploitation could lead to remote code execution on the affected host.
Microsoft Dynamics 365
On-prem deployments of Microsoft Dynamics 365 are vulnerable to privilege escalation, and patching for these systems should also be prioritized.
Microsoft Advisories
Microsoft also released three advisories that cover a few topics:
- ADV190009 announces SHA-2 Code Sign support for Windows 7 SP1 and Windows Server 2008 R2. This update will be required for any new patches released after July 2019. Older versions of WSUS should also be updated to distribute the new SHA-2 signed patches.
- ADV190010 gives guidance on sharing the same user account across multiple users. Microsoft discourages this behavior and considers it a major security risk.
- ADV190005 provides mitigations for a potential denial-of-service in http.sys when receiving HTTP/2 requests. The patch allows users to set a limit on how many SETTINGS parameters can be sent in a single request.
Adobe
Adobe released non-security patches for Flash, as well as Critical security patches for Photoshop CC and Digital Editions, each with one vulnerability.
Executive Summary
- Microsoft released security products for all client and server based versions of Windows that it supports.
- The company released security updates for the following products next to that: Internet Explorer, Microsoft Edge, Microsoft Office and SharePoint, Skype for Business, Team Foundation Server, Visual Studio, and NuGet.
- Microsoft released SHA-2 Code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1 as a security update.
Operating System Distribution
- Windows 7: 21 vulnerabilities of which 3 are rated critical and 18 are rated important.
- Same as Windows 10 version 1607
- Windows 8.1: 20 vulnerabilities of which 3 are rated critical and 17 are rated important.
- Same as Windows 10 version 1607
- Windows 10 version 1607: 24 vulnerabilities of which 3 are critical and 21 are important
- CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
- Same as Windows 10 version 1709
- Windows 10 version 1703: 24 vulnerabilities of which 2 are critical and 22 are important
- Same as Windows 10 version 1709
- Windows 10 version 1709: 28 vulnerabilities of which 2 are critical and 26 are important
- CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability
- Windows 10 version 1803: 33 vulnerabilities of which 6 are critical and 27 are important
- same as Windows 10 version 1809
- Windows 10 version 1809: 33 vulnerabilities of which 6 are critical and 27 are important
- CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
- CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability
- CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability
- CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability
- CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability
Windows Server products
- Windows Server 2008 R2: 21 vulnerabilities of which 3 are critical and 17 are important.
- Same as Windows Server 2016.
- Windows Server 2012 R2: 20 vulnerabilities of which 3 are critical and 17 are important.
- Same as Windows Server 2016.
- Windows Server 2016: 24 vulnerabilities of which 3 are critical and 21 are important.
- CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
- CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability
- Windows Server 2019: 33 vulnerabilities of which 5 are critical and 27 are important.
- CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
- CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability
- CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability
- CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability
- CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability
Other Microsoft Products
- Internet Explorer 11: 14 vulnerability, 4 critical, 10 important
- Microsoft Edge: 14 vulnerabilities, 7 critical, 7 important
Known Issues
4489878 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup) AND
4489885 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update) AND
4489884 Windows Server 2012 (Security-only update) AND
4489891 Windows Server 2012 (Monthly Rollup)
- Internet Explorer 10 may have authentication issues
- Create unique user accounts to avoid same user account sharing and resolve the issue.
4489881 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) AND
4489883 Windows 8.1, Windows Server 2012 R2 (Security-only update)
- IE11 may have authentication issues.
4489882 Windows 10 version 1607, Windows Server 2016
- System Center Virtual Machine Manager managed hosts cannot "enumerate and manage logical switches".
- Run mofcomp on Scvmmswitchportsettings.mof and VMMDHCPSvr.mof
- Cluster service may fail with error "2245 (NERR_PasswordTooShort)".
- Set the Minimum Password Length policy to less or equal to 14 characters.
- IE11 may have authentication issues.
4489899 Windows 10 version 1809, Windows Server 2019
- IE11 may have authentication issues.
- Output devices may stop working on devices with multiple audio devices. Affected applications include Windows Media Player, Sound Blaster Control Panel, and Realtek HD Audio Manager.
- Temporary workaround: set the output device to default.
Direct update downloads
Cumulative updates that Microsoft releases as well as other updates get uploaded to the Microsoft Update Catalog website.
You find links to all cumulative updates for client and server versions of Microsoft Windows.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4489878-- 2019-03 Security Monthly Quality Rollup for Windows 7
- KB4489885-- 2019-03 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4489881-- 2019-03 Security Monthly Quality Rollup for Windows 8.1
- KB4489883-- 2019-03 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4489882-- 2019-03 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4489871 -- 2019-03 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
- KB4489886-- 2019-03 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4489868-- 2019-03 Cumulative Update for Windows 10 Version 1803
Windows 10 (version 1809)
- KB4489899 -- 2019-03 Cumulative Update for Windows 10 Version 1809