This month, Microsoft delivers a big, complex series of updates to Windows, Azure and Edge. With 88 vulnerabilities addressed and four made public, we see “Patch Now” recommendations for both browsers, Windows and Adobe. I think that we should pay special attention to this month’s significant updates to ADO and JET. You can find our monthly update infographics here. And, I think I did a reasonable job of describing the different approaches to patching in our latest Readiness “Patching at Full Throttle” video.
Each month, we provide some detail on the currently known (and generally unmitigated) issues with the latest Windows 10 (1803 and 1809) and server releases:
- KB4503293: Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)”. Microsoft is still working on this issue.
- KB4503327: When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.” And, Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform an operation on a CSV owner node from a process that doesn’t have administrator privileges.
- KB4503284: Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. If this issue occurs on your server environment, Microsoft suggests running the process with Administrator access.
This patch cycle brings a single major (but very low importance) patch revision to an older update to the Windows GDI component on Windows 7 and Windows Server 2008 R2, with CVE-2017-8533. Microsoft is releasing security updates 4503292 (Monthly Rollup) and 4503269 (Security Only). This should not affect most recently updated systems.
We also break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft .NET Core, .NET Core and Chakra Core
- Adobe Flash Player
For this Patch Tuesday, Microsoft has attempted to resolve 16 critical, three important, and 16 moderate vulnerabilities in Microsoft’s Edge browser. All the vulnerabilities relate to how Edge handles memory issues and the Chakra scripting engine. There is a large overlap with Edge’s Chakra vulnerabilities and the issues reported with Microsoft’s developer tools. All of the critical rated vulnerabilities could lead to the more serious remote execution scenarios. This update should have a high priority. We recommend a “Patch Now” status for Microsoft browser updates for June.
As Microsoft has now made 1903 their generally available desktop platform, we have started using Windows 10 1903, 64-bit as our target platform. With this update cycle for the Windows desktop, we see most of the reported vulnerabilities (five critical, 57 important and one moderate) with the following critical vulnerabilities:
- CVE-2019-0973: An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2019-1053: An elevation of privilege vulnerability exists when the Windows Shell fails to validate folder shortcuts. An attacker who successfully exploited the vulnerability could elevate privileges by escaping a sandbox.
- CVE-2019-1064: An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker could then install programs; view, change or delete data.
- CVE-2019-1069: An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations.
In addition to these critical updates we are seeing some real “update hotspots” in the Windows platform with the following components and their corresponding vulnerabilities for this month:
- Microsoft ADO and Jet Engine: CVE-2019-0904, CVE-2019-0905, CVE-2019-0906, CVE-2019-0907, CVE-2019-0908, CVE-2019-0909, CVE-2019-0974
- Microsoft Hyper-V: CVE-2019-0620, CVE-2019-0709, CVE-2019-0722
- Microsoft Audio Service: CVE-2019-1007, CVE-2019-1021, CVE-2019-1022, CVE-2019-1026, CVE-2019-1027, CVE-2019-1028
- Windows GDI: CVE-2019-0968, CVE-2019-0977, CVE-2019-1009, CVE-2019-1010, CVE-2019-1011, CVE-2019-1012, CVE-2019-1013, CVE-2019-1015, CVE-2019-1016, CVE-2019-1046, CVE-2019-1047, CVE-2019-1048, CVE-2019-1049, CVE-2019-1050
Like a rite of passage, we have seen our first real update to the Microsoft AppX virtualization technology with CVE-2019-1064 reported as a critical vulnerability. And, it looks like the major new feature in Windows Release 1903 (The Sandbox) has a minor issue with this update with Microsoft KB article KB4503293. This is a big, complex update that affects many of the core operating system components. If you have a reliance on JET/ADO, Hyper-V or specialist line of business applications that rely on core GDI services, then this update needs application compatibility testing. Otherwise, add this large Windows update to your standard deployment effort.
The biggest issue affecting the Microsoft Office (desktop and server) platforms this month is a Cross-site-scripting (XSS) issue (CVE-2019-1036, CVE-2019-1031, CVE-2019-1032, CVE-2019-1033) that could lead to an attack where a bad-actor could run scripts in the context of a user. These issues are more difficult to exploit, and with no critical updates this month, we recommend that you “schedule” this update as part of your standard deployment effort.
Development Tools (.NET and Chakra Core)
Normally the updates to Microsoft toolsets are a “staid” thing, with planned changes to development platforms that could take months to deploy. This month is different with 9 critical updates to the Chakra and Scripting Engine in Microsoft Edge. Given how things are progressing with Microsoft and its cloud platform, we may see a separate section for Azure patches and changes next month. For this update cycle, Microsoft has released a fix for a moderate rated spoofing vulnerability on Azure DevOps Server (CVE-2019-0996). You can read more about Azure DevOps here. I am sure that we will hear more about Azure patches and updates next month, but I am just not sure how we can test and plan for these changes. Schedule the Azure DevOps update, but add the Chakra update to your “Patch Now” release schedule.
Adobe has released (yet) another critical update to its venerable Flash Player. As always, this update is a full refresh of the Flash distribution and this latest update brings Flash to version 126.96.36.199. If this is getting repetitive, we at least have some hope, as Adobe is deprecating Flash at the end of 2020. As usual, it’s as serious as it is ridiculously easy to exploit and if you have Flash on your systems (you really shouldn’t) please add this critical update to your “Patch Now” deployment effort.