This is a big patch release for Microsoft February Patch Tuesday, with 75 vulnerabilities addressed and critical updates for IE and Windows and most importantly this month a large number of patches to Microsoft’s development platform (.NET, IE and scripting engines). And Adobe is back on the scene with a critical update to resolve more memory corruption issues.
We would advise a little caution with the Windows desktop update due to some pretty big updates to both the GDI sub-systems and the Win32K driver system. Chris Goettl has posted some guidance that aligns closely with our thinking: make Adobe, Exchange and the browser patches a priority.
Known Issues for February 2019
For this February update cycle, there are an unusually large number of reported “Known Issues” including:
- For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update. (4487026)
- After installing KB4480973, some users report that they cannot load a webpage in Microsoft Edge using a local IP address (4487020, 4486996, 4487017, 4487044)
After you install the Cumulative Update 12 for Exchange Server 2016, the Accept button disappears in the invitation email message of a shared calendar in Microsoft Outlook on the web client (previously known as Outlook Web App). And, when you manually attempt to install Update rollup 26 for Exchange 2010 Service Pack 3, some files are not correctly installed on the target machine.
- Each month, I try to break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft asp.net Core, .NET Core and Chakra Core
- Adobe Flash Player
Microsoft has attempted to resolve over 30 reported vulnerabilities for the Windows desktop and server platforms. A short list of some of the key areas affected involves the following components:
- Microsoft JET Engine: CVE-2019-0595
- Win32K Device Drivers: CVE-2019-0628
- Windows Kernel: CVE-2019-0656
Looking at these types of issues and how they have affected updates in the past, caution is required as the majority are reported as Important by Microsoft. That said, there are three reported vulnerabilities rated as Critical by Microsoft that include:
- CVE-2019-0618 and CVE-2019-0662 GDI+ Remote Code Execution Vulnerability
- CVE-2019-0626: Windows DHCP Server Remote Code Execution Vulnerability
Given the driver-level changes and the fact that these reported issues have not been publicly disclosed or reported as exploited, I would add these updates to an extensive testing regime with a staged/staggered deployment. Hey, try the IT department first.
This month, we see 23 reported vulnerabilities across both Microsoft Edge and Internet Explorer (IE11). 15 of these security issues have been rated by Microsoft as Critical and the worst could lead to a remote code execution scenario. As has been generally the case, most of the reported issues relate to memory handling issues and Microsoft has released a full re-compile of the IE and Edge code base. And for some, “Enough is Enough” with Chris Jackson (the Microsoft App-Compat guy) advocating that we all move away from Internet Explorer – stop using it, so Microsoft doesn’t have to update it anymore. Which I think is reasonable. Given that both browsers are the most common vectors for security concerns, add this browser update to your rapid patch schedule.
The two main vulnerabilities addressed in this month’s Microsoft Office update (CVE-2019-0594 and CVE-2019-0604) relate to a file handling error with Microsoft SharePoint that leads to the execution of arbitrary code on the target platform. With a further reported issue rated as Important and one rated as Moderate for SharePoint and Microsoft Team Foundation Server, we recommend that you add this patch to your standard server patch deployment cycle.
This is an unusual patch release for this section of Windows update, the development and platforms tools product family. Microsoft’s development tools that require critical and important updates include patches to the following groups:
- Microsoft Visual Studio
- Azure IoT SDK
- .NET Framework and Visual Studio Code
With 21 reported vulnerabilities, 11 rated as Critical – this is an unusually large development update, even for large patch cycles. The most serious security issues relate to:
- Scripting Engine Memory Corruption vulnerabilities targeting the latest versions
- Internet Explorer and Microsoft Edge memory corruption
- Microsoft .NET memory corruption issues
All of these vulnerabilities rated as Critical by Microsoft could lead to remote code execution scenarios and usually Microsoft’s development platforms are more likely to be exploited on the latest platforms. We recommend getting these patches to your development team as a high priority.
Adobe (Flash Player)
This month Adobe is back in true form with a critical update that addresses two remote code execution vulnerabilities (CVE-2018-15982 and CVE-2018-15982). Both reported security issues are related to “use after free” and DLL hijacking. You can read more here. We suggest that you add this to your “Patch Now” effort.
CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.
Out-dated operating systems such as the beloved Windows 7, may still be functional but leave your company vulnerable. It is inherently risky to continue running Windows 7 and much safer to migrate to Windows 10 before it is too late.
This October Patch Tuesday is an important but troubled patch release from Microsoft with a critical, out-of-band browser update that has been widely reported as causing a number of deployment issues.
Here’s our 2019 Patch Impact assessment report reformatted with our new “Threatscape” report, showing a more complete assessment of the risk of not installing September’s Patch Tuesday updates in an easily-digestible, at-a-glance report.
Greg Lambert’s Patch Tuesday post for September is here. This September update cycle brings two zero-days and three publicly reported vulnerabilities in the Windows platform.
This September update cycle brings two zero-days and three publicly reported vulnerabilities in the Windows platform. Both browser and Windows updates require immediate attention and your development team will need to spend some time with the latest patches to .NET and .NET Core.