This is a big month for Microsoft updates. With 64 reported vulnerabilities addressed in this month’s Patch Tuesday release, the focus is on the two zero-days for Microsoft Windows. Both Windows 7 and Windows 10 platforms are affected, leading to a “Patch Now” recommendation for both Windows and browser updates.
Both of the reported zero-day vulnerabilities relate to how a core Windows system driver (Win32k) handles objects in memory and both issues could lead to arbitrary code execution on the targeted machines. Unusually, we don’t have a critical update for Adobe, and Microsoft Office has a few, low rated updates that can be scheduled into a standard release cycle.
Chris Goettl at Ivanti has offered some more advice from his blog “to not rely solely on vendor severity or even CVSS score as your only triggers for what should be deployed to your environment. Exploited, publicly disclosed, and user targeted vulnerabilities should also be taken into account.”
Readiness is starting to offer more detailed technical analysis of each patch manifest and potential impacts here.
Microsoft has confirmed a number of known issues with this March update and the previous February patch release. These known issues can be grouped into two categories:
Known Issues for Windows 7 and 8, Server 2008 and Server 2012.
Microsoft has released the following KB articles (4489878, 4489881, 4489883, 4489884) to address a number of issues relating to Microsoft IE10 which could occur when using multiple accounts on the same machine through RDP or Terminal Server sessions, including:
- Cache size and location show zero or empty.
- Keyboard shortcuts may not work properly.
- Webpages may intermittently fail to load or render correctly.
- Issues with credential prompts.
- Issues when downloading files.
- Known Issues for Windows 10 (Builds 1803 to 1809) and Server 2019.
In addition to the problems listed above, Windows 10 and Server 2019 builds have reported problems (4489882, 4489899) with audio related applications crashing. Some examples of crashing applications include:
- Windows Media Player
- Realtek HD Audio Manager
- SoundBlaster Control Panel
Each month, I try to break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- MicrosoftNET Core, .NET Core and Chakra Core
- Adobe Flash Player
Microsoft has released 11 updates rated as critical for both browsers (Internet Explorer 11 and Microsoft Edge). Even if these updates were not accompanied by a further 11 important and moderate updates, this patch release should be a “Patch Now” update from Microsoft. It looks like scripting engine and memory corruption issues are causing both browsers significant security issues resulting in remote code execution scenarios. Patch now. Patch Now!
This Windows update for March addresses 35 vulnerabilities, with six rated as critical and two rated as zero-days. This is a massive and urgent update for Windows. The first zero-day (CVE-2019-0808) relates to how the core system component Win32k handles objects in memory. Microsoft has reported this vulnerability as exploited making an update urgent for all affected Windows 7 and Server 2008 systems. The second zero-day (CVE-2019-0797) relates to how Windows 10 similarly handles Win32k memory issues. Both vulnerabilities can lead to a remote code execution scenario using the login user’s privileges. Both issues require the local execution of a specially crafted application to successfully complete the exploit. Add this updates to your “Patch Now” release schedule.
The March Microsoft update cycle has been relatively kind to Microsoft Office, with only three reported vulnerabilities rated as important by Microsoft. These three vulnerabilities cover the following areas:
- Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
- Microsoft Office SharePoint XSS Vulnerability
- Skype for Business and Lync Spoofing Vulnerability
Add this Microsoft Office update to your standard patch deployment schedule.
Development Tools (.NET and Chakra Core)
This month Microsoft has attempted to address six vulnerabilities rated as critical relating to remote code execution scenarios in the Chakra Core scripting engine. These vulnerabilities relate to how Microsoft Edge handles objects in memory, and most worryingly could allow an attacker to run arbitrary code as the logged in user. Moving from the Windows platform, there is a vulnerability in the NuGet package manager for Mac and Linux that also could allow tampering with files on the targeted system. Given the overlap with the browser (Edge) updates this month, these development and scripting engine updates can be included in your standard development platform update regime. I have included a brief list of the other development platform related vulnerabilities that have been updated this month including:
- Microsoft Scripting Engine Memory Corruption Vulnerability
- Chakra Scripting Engine Memory Corruption Vulnerability
- NuGet Package Manager Tampering Vulnerability
- Team Foundation Server Cross-site Scripting Vulnerability
- Visual Studio Remote Code Execution Vulnerability
Weirdly, this update does not map to any CVE entries, and is strictly a general bug fix update. You can read more (but not much more) about this minor security update from Adobe here. Add this minor update to your standard patch deployment effort.
Finally, if you thought Windows updates were straightforward, have a look at this, er, handy Windows 10 update flowchart…