This is a huge month for Patch Tuesday as Microsoft attempts to address 93 unique vulnerabilities spanning Windows desktop and server platforms, Microsoft Office and core development tools. Without the pressure of a publicly reported vulnerability and with no Zero-days to urgently address, we recommend a measured pace of testing before deployment for the Windows and Office updates, with a more rapid pace for the IE and development tools patches.
With each update that Microsoft releases, there are generally a few issues that have been raised in testing. For this August release, and specifically Windows 10 1903 builds, the following issues have been raised:
- Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
- Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001
- Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of this update.
Microsoft has reported that these issues are expected to be resolved in either the next release or possibly at the end of the month.
This update cycle for Microsoft Windows includes major revisions to one previously reported vulnerability:
- CVE-2019-0988: A critical rated vulnerability for Microsoft Internet Explorer browser had new information published. Microsoft added Windows 10 installs of Microsoft Edge to the Security Updates table because it is affected by this vulnerability. Microsoft recommends that customers running Edge on Windows 10 install the latest security updates to be fully protected from this vulnerability.
If you are tracking Microsoft document version updates, there was another update (CVE-2019-1125) that was published last week, but has been included in this month’s release cycle. No additional actions need to be taken.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (.NET Core, .NET Core and Chakra Core)
- Adobe Flash Player
Microsoft has attempted to address 12 vulnerabilities to both its web browsers (Edge and Internet Explorer) with nine rated as critical. Though we don’t have any vulnerabilities publicly reported or known to be exploited, two groups of issues are related to the Chakra scripting engine and how both browsers handle memory. All of the critical updates could lead to a remote code execution scenario and will require complete updates to both browsers. In addition, both vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user and could be exploited through a specially crafted web page. Add this August update to your “Patch Now” release cycle.
This is pretty massive update to the Windows platform with 15 updates rated as critical and 55 rated as important by Microsoft. The two biggest issues relate to how Microsoft handles fonts (a recurring theme) and the worm-able vulnerability (CVE-2019-1222) in Microsoft Remote Desktop Services (formerly Terminal Services). Not only does this month’s Patch Tuesday update attempt to address a large number of vulnerabilities, it creates a large testing area for deployment engineers. This month’s update includes changes to Hyper-V, DHCP, VBScript, GDI, Remote Desktop Services (RDS), Microsoft JET and what is more worrisome, several updates to the Windows kernel. There are some pretty critical updates here but given the nature and number of changes we recommend a staged deployment for this update.
This is an interesting month for Office updates. For August we see five patches rated as critical by Microsoft and the remaining nine updates rated as important. Unusually, Microsoft has released an update to a trusted font issue for Office for Mac, and the venerable Office 2013 has an update to the aging Microsoft JET database engine. If you have legacy code working on older versions of office that need to connect to databases (or larger spreadsheets) then you will want to have a closer look at these Office updates before general deployment. Otherwise, add these Microsoft Office updates to your standard deployment schedule.
Microsoft has attempted to address eight vulnerabilities to their development platform with seven rated as critical and the remainder rated as important. All the critical updates relate to the Chakra scripting engine (which also relate to the IE and Edge security issues). In addition to the Chakra issues and updates there are information disclosure issues in the Git component for visual studio.
And, speaking of Git, there were a number of issues reported by our internal testing team with last month’s updates (July Patch Tuesday) that related to a number of private security DLLs included in the Git desktop application installation. Add the Visual studio component updates to your standard patch deployment cycle. I expect that all the development related patches for Chakra will be included in your browser update cycle – which unfortunately are considered “Patch Now” for this month.
Microsoft has not released any specific bulletins or advisories for Adobe products. However, there are eight updates to Adobe products available from the Adobe security area including:
- APSB19-44 Security update available for Adobe Photoshop CC
- APSB19-42 Security update available for Adobe Experience Manager
- APSB19-41 Security update available for Adobe Acrobat and Reader
- APSB19-39 Security update available for Adobe Creative Cloud Desktop Application
- APSB19-35 Security update available for Adobe Prelude CC
- APSB19-33 Security update available for Adobe Premiere Pro CC
- APSB19-32 Security update available for Adobe Character Animator CC
- APSB19-31 Security update available for Adobe After Effects CC
All of these product level updates should be included in your standard product update and release cycle.