March 2019 Patch Tuesday Analysis

Patch Tuesday Webinar
Wednesday, Mar 13, 2019
Hosted by: Chris Goettl & Todd Schell
Dial in: 1-877-668-4490 (US)
Event ID: 804 993 774

Copyright©2019Ivanti.Allrightsreserved
Agenda
March 2019 Patch Tuesday Overview
In the News
Bulletins
Q & A
1
2
3
4

 Overview

 In the News

In the News
 Google finds exploits in the wild using vulnerabilities in Chrome and
Windows
 https://www.zdnet.com/article/google-chrome-zero-day-was-used-together-
with-a-windows-7-zero-day/
 Google Retpoline makes its way to Windows and other platforms
 Resolves Spectre Variant 2 performance issues while keeping
mitigation in place
 https://www.zdnet.com/article/microsoft-rolls-out-googles-retpoline-spectre-
mitigation-to-windows-10-users/
 PatchManagment.org
 Update coming
 Moving from Listserver to Google Groups
 DMARC support and other security concerns

Zero-day Exploited Vulnerabilities
 CVE-2019-0797 and -0808 Win32k Elevation of Privilege Vulnerability
 An elevation of privilege vulnerability exists in Windows when the Win32k
component fails to properly handle objects in memory. An attacker who
successfully exploited this vulnerability could run arbitrary code in kernel mode.
An attacker could then install programs; view, change, or delete data; or create
new accounts with full user rights.
 To exploit this vulnerability, an attacker would first have to log on to the system.
An attacker could then run a specially crafted application that could exploit the
vulnerability and take control of an affected system.
 The updates address these vulnerabilities by correcting how Win32k handles
objects in memory.

Publicly Disclosed Vulnerabilities
 CVE-2019-0683 - Active Directory Elevation of Privilege Vulnerability
 An elevation of privilege vulnerability exists in Active Directory Forest trusts due
to a default setting that lets an attacker in the trusting forest request delegation of
a TGT for an identity from the trusted forest. To exploit this vulnerability, an
attacker would first need to compromise an Active Directory forest.
 An attacker who successfully exploited this vulnerability could request delegation
of a TGT for an identity from the trusted forest.
 This update addresses the vulnerability by ensuring Active Directory Forest trusts
disable TGT delegation by default.

Publicly Disclosed Vulnerabilities (cont)
 CVE-2019-0754 - Windows Denial of Service Vulnerability
 A denial of service vulnerability exists when Windows improperly handles objects
in memory. An attacker who successfully exploited the vulnerability could cause a
target system to stop responding.
 To exploit this vulnerability, an attacker would have to log on to an affected
system and run a specially crafted application. The vulnerability would not allow
an attacker to execute code or to elevate user rights directly, but it could be used
to cause a target system to stop responding.
 The update addresses the vulnerability by correcting how Windows handles
objects in memory.

 CVE-2019-0757 - NuGet Package Manager Tampering Vulnerability
 A tampering vulnerability exists in the NuGet Package Manager for Linux and
Mac that could allow an authenticated attacker to modify a NuGet package's
folder structure. An attacker who successfully exploited this vulnerability could
potentially modify files and folders that are unpackaged on a system.
 To exploit this vulnerability, an attacker would need to log on to the affected
system and tamper with the folder contents of a package prior to building or
installation of an application.
 The security update addresses the vulnerability by correcting permissions on
folders inside the NuGet packages folder structure.

 CVE-2019-0809 - Visual Studio Remote Code Execution Vulnerability
 A remote code execution vulnerability exists when the Visual Studio C++
Redistributable Installer improperly validates input before loading dynamic link
library (DLL) files. An attacker who successfully exploited the vulnerability could
execute arbitrary code in the context of the current user. Users whose accounts
are configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
 To exploit the vulnerability, an attacker must place a malicious DLL on a local
system and convince a user to execute a specific executable.
 The security update addresses the vulnerability by correcting how the Visual
Studio C++ Redistributable Installer validates input before loading DLL files.

Microsoft Finally Switching to SHA2 Certificates
 https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-
support-requirement-for-windows-and-wsus
 Phased migration process from March to September 2019
 Dual signed SHA1/SHA2 migrating to SHA2 signed only
 Legacy OS and WSUS require updates
 Advisory 190009 SHA-2 Code Sign Support Advisory
 Windows 7 and Server 2008 R2 migration update released this month
 https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-
update-for-windows-7-and-server-2008-r2
 All current Ivanti products support this change

Microsoft Patch Tuesday Updates of Interest
 Advisory 990001 Latest Servicing Stack Updates
 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001
 March Releases
 KB 4490628 - Windows 7 and Server 2008 R2
 Development Tool Updates
 Updates for Visual Studio for Mac
 Updates for Team Foundation Server 2017 and 2018
 Updated Development Components/Packages
 ChakraCore
 .NET Core 1.1 SDK and 2.1.500 SDK
 NuGet 4.3.1 – 4.9.4

Windows 10 Lifecycle Awareness
 Windows 10 Branch Support
 Complete Lifecycle Fact Sheet
 https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Source: Microsoft

Weekly Patch BLOG
 Latest Patch Releases
 Microsoft and Third-party
 Security and non-Security
 CVE Analysis
 Security Events of Interest
 Host: Brian Secrist
 https://www.ivanti.com/blog/
topics/patch-tuesday

Patch Content Announcement System
Announcements Posted on Community Pages
 https://community.ivanti.com/community/other/bulletins/patch-content-
notifications
 Subscribe to receive email or RSS notifications for desired product(s)

 Bulletins

Chrome-247: Security Update for Chrome
 Maximum Severity: Critical
 Affected Products: Google Chrome
 Description: The stable channel has been updated to 73.0.3683.75 for Windows, Mac
and Linux. This release contains a large number of security fixes as well as feature
improvements.
 Impact: Remote Code Execution
 Fixes 60 Vulnerabilities: See
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-
desktop_12.html for a list of CVEs remediated.
 Restart Required: Requires restart

MS19-03-W10: Windows 10 Update
 Affected Products: Microsoft Windows 10 Versions 1607, 1703, 1709, 1803, 1809,
Server 2016, Server 2019, Server 1709, Server 1803, IE 11 and Microsoft Edge
 Description: This bulletin references 9 KB articles. See KBs for the list of changes.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Elevation of Privilege, and Information Disclosure
 Fixes 55 Vulnerabilities: CVE-2019-0797 is known to be exploited in the wild and
CVE-2019-0754 is publicly disclosed. See Details column of Security Update Guide for
the complete list of CVEs.
 Known Issues: See next slides

March Known Issues for Windows 10
 KB 4489882 – Windows 10, Version 1607 and Server 2016
 For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot
enumerate and manage logical switches deployed on the host after installing the update.
Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the
hosts. Workaround: 1.Run mofcomp on the following mof files on the affected host:
Scvmmswitchportsettings.mof and VMMDHCPSvr.mof. Follow the best practices.
 After installing KB4467684, the cluster service may fail to start with the error “2245
(NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with
greater than 14 characters. Workaround: Set the domain default "Minimum Password Length"
policy to less than or equal to 14 characters. Microsoft is working on a resolution.
 After installing this update, MSXML6 causes applications to stop responding if an exception was
thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). Group
Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a
Group Policy Preference for Internet Settings. Workaround: None. Microsoft is working on a
resolution.

March Known Issues for Windows 10 (cont)
 KB 4487026 – Windows 10, Version 1607 and Server 2016 (cont)
 After installing this update, Internet Explorer 11 may have authentication issues. This occurs
when two or more people use the same user account for multiple, concurrent login sessions on
the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal
Server logons. Symptoms include:
 Cache size and location show zero or empty.
 Keyboard shortcuts may not work properly.
 Webpages may intermittently fail to load or render correctly.
 Issues with credential prompts.
 Issues when downloading files.
 Workaround: Create unique user accounts so that two people don’t share the same user
account when logging on to a Windows Server machine. Additionally, disable multiple RDP
sessions for a single user account for a specific Windows Server.

 KB 4489899 – Windows 10, Version 1809, Server 2019

 KB 4489899 – Windows 10, Version 1809, Server 2019 (cont)
 After installing this update on machines that have multiple audio devices, applications that
provide advanced options for internal or external audio output devices may stop working
unexpectedly. This issue occurs for users that select an audio output device different from the
“Default Audio Device”. Examples of applications that may stop working include:
 Windows Media Player
 Realtek HD Audio Manager
 Sound Blaster Control Panel
 Workaround: As a temporary solution, select the “Default Audio Device” in the options provided
by the application; please refer to the application’s user manual for details. Microsoft is working
on a resolution and estimates a solution will be available in late March 2019.
 After installing this update, MSXML6 causes applications to stop responding if an exception was
thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). Group
Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a
Group Policy Preference for Internet Settings. Workaround: None. Microsoft is working on a
resolution.

MS19-03-IE: Security Updates for Internet Explorer
 Affected Products: Microsoft Internet Explorer 9,10,11
 Description: The fixes that are included in the cumulative Security Update for Internet
Explorer are also included in the March 2019 Security Monthly Quality Rollup. Installing
either the Security Update for Internet Explorer or the Security Monthly Quality Rollup
installs the fixes that are in the cumulative update. This bulletin references 11 KB
articles.
 Impact: Remote Code Execution and Security Feature Bypass
 Fixes 12 Vulnerabilities: CVE-2019-0609, CVE-2019-0665, CVE-2019-0666, CVE-
2019-0667, CVE-2019-0680, CVE-2019-0746, CVE-2019-0761, CVE-2019-0762, CVE-
2019-0763, CVE-2019-0768, CVE-2019-0780, CVE-2019-0783
 Restart Required: Requires browser restart
 Known Issues: See IE issues associated with OS updates

MS19-03-MR2K8: Monthly Rollup for Windows Server 2008
 Affected Products: Microsoft Windows Server 2008 and Internet Explorer 9
 Description: This security update includes improvements and fixes that were a part of update KB
4487022 (released February 19, 2019). Security updates to Internet Explorer 9.1, Windows App
Platform and Frameworks, Windows Server, Windows Hyper-V, Windows Storage and Filesystems,
Windows Fundamentals, Windows Kernel, Windows MSXML, and the Microsoft JET Database
Engine. This bulletin is based on KB 4489880.
 Impact: Remote Code Execution, Denial of Service, Elevation of Privilege, and
Information Disclosure
 Fixes 21 Vulnerabilities: CVE-2019-0603, CVE-2019-0614, CVE-2019-0617, CVE-2019-
0683, CVE-2019-0690, CVE-2019-0702, CVE-2019-0703, CVE-2019-0704, CVE-2019-0754, CVE-
2019-0755, CVE-2019-0756, CVE-2019-0759, CVE-2019-0765, CVE-2019-0767, CVE-2019-0772,
CVE-2019-0774, CVE-2019-0775, CVE-2019-0782, CVE-2019-0784, CVE-2019-0808, CVE-2019-
0821
 Known Issues: None reported

MS19-03-SO2K8: Security-only Update for Windows Server 2008
 Affected Products: Microsoft Windows Server 2008
 Description: Security updates to Windows App Platform and Frameworks, Windows
Server, Windows Hyper-V, Windows Storage and Filesystems, Windows
Fundamentals, Windows Kernel, Windows MSXML, and the Microsoft JET Database
Engine. This bulletin is based on KB 4489876.
0821

MS19-03-MR7: Monthly Rollup for Win 7 and Server 2008 R2
 Affected Products: Microsoft Windows 7, Server 2008 R2, and IE
4486565 (released February 19, 2019). Security updates to Internet Explorer, Windows App
Platform and Frameworks, Windows Cryptography, Windows Hyper-V, Windows Storage and
Filesystems, Windows Fundamentals, Windows Server, Windows Kernel, Windows MSXML, and
the Microsoft JET Database Engine. This bulletin is based on KB 4489878.
 Fixes 21 (shown) + 12 (IE) Vulnerabilities: CVE-2019-0603, CVE-2019-0614, CVE-
2019-0808, CVE-2019-0821, ADV190009
 Known Issues: See next slide

March Known Issues for Windows 7 and Server 2008 R2
 KB 4489878 – Windows 7 Service Pack 1, Windows Server 2008 R2 Service
Pack 1 (Monthly Rollup)
 KB 4489885 – Windows 7 Service Pack 1, Windows Server 2008 R2 Service
Pack 1 (Security-only update)

MS19-03-SO7: Security-only Update for Win 7 and Server 2008 R2
 Affected Products: Microsoft Windows 7, Server 2008 R2
 Description: Security updates to Windows App Platform and Frameworks, Windows
Cryptography, Windows Hyper-V, Windows Storage and Filesystems, Windows Fundamentals,
Windows Server, Windows Kernel, Windows MSXML, and the Microsoft JET Database Engine.
This bulletin is based on KB 4489885.
0821, ADV190009
 Known Issues: See previous slide

MS19-03-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Server 2012 and IE
Platform and Frameworks, Windows Hyper-V, Windows Storage and Filesystems, Windows
Fundamentals, Windows Kernel, Windows Server, and the Microsoft JET Database Engine. This
bulletin is based on KB 4489891.
 Impact: Remote Code Execution, Denial of Service, Elevation of Privilege and
2019-0821

March Known Issues for Server 2012
 KB 4489891 – Windows Server 2012 (Monthly Rollup)
 KB 4489884 – Windows Server 2012 (Security-only update)

MS19-03-SO8: Security-only Update for Server 2012
 Affected Products: Microsoft Server 2012
 Description: Security updates to Windows App Platform and Frameworks, Windows Hyper-V,
Windows Storage and Filesystems, Windows Fundamentals, Windows Kernel, Windows Server,
and the Microsoft JET Database Engine. This bulletin is based on KB 4489884.
CVE-2019-0775, CVE-2019-0782, CVE-2019-0784, CVE-2019-0797, CVE-2019-0821

MS19-03-MR81: Monthly Rollup for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2, and IE
Platform and Frameworks, Windows Hyper-V, Windows Storage and Filesystems, Windows
Fundamentals, Windows Kernel, Windows Server, Windows MSXML, and the Microsoft JET
Database Engine. This bulletin is based on KB 4489881.
2019-0821

February Known Issues for Windows 8.1 and Server 2012 R2
 KB 4489881 – Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
 KB 4489883 – Windows 8.1, Windows Server 2012 R2 (Security-only update)

MS19-03-SO81: Security-only Update for Win 8.1 and Server 2012 R2
 Affected Products: Microsoft Windows 8.1, Server 2012 R2
 Description: Security updates to Windows App Platform and Frameworks, Windows Hyper-V,
Windows Storage and Filesystems, Windows Fundamentals, Windows Kernel, Windows Server,
Windows MSXML, and the Microsoft JET Database Engine. This bulletin is based on KB 4489883.
CVE-2019-0775, CVE-2019-0782, CVE-2019-0784, CVE-2019-0797, CVE-2019-0821

MS19-03-SPT: Security Updates for SharePoint Server
 Maximum Severity: Important
 Affected Products: Microsoft Enterprise SharePoint Server 2013, 2016
 Description: This security update resolves a cross-site-scripting (XSS) vulnerability if
Microsoft SharePoint Server does not correctly sanitize a specially crafted web request
to an affected SharePoint server. This bulletin is based on KB articles 4462208 and
4462211.
 Impact: Tampering
 Fixes 1 Vulnerability: CVE-2019-0778
 Restart Required: Requires Restart

MS19-03-OFF: Security Updates for Microsoft Office
 Maximum Severity: Important
 Affected Products: Office 2010, Lync Server 2013, Skype Business Server 2015
 Description: This security update resolves vulnerabilities in several Microsoft Office
applications. This bulletin references KB articles 3061064, 2809243, and 4462226.
 Impact: Remote Code Execution and Spoofing
 Fixes 2 Vulnerabilities: CVE-2019-0748, CVE-2019-0798
 Restart Required: Requires application restart

MS19-03-O365: Security Updates for Office 365 ProPlus
 Maximum Severity: Recommended
 Affected Products: Office 365 ProPlus, Office 2019
 Description: This month’s update resolved various bugs and performance issues in
Microsoft Office 365 applications. Information on Office 365 ProPlus updates is
available at https://docs.microsoft.com/en-us/officeupdates/release-notes-office365-
proplus
 Impact: Defense in Depth
 No Vulnerabilities Reported

MS19-03-AFP: Security Update for Adobe Flash Player
 Affected Products: Adobe Flash Player
 Description: This security update resolves vulnerabilities in Adobe Flash Player that is
installed on any supported edition of Windows Server 2016, Windows 10 Version 1809,
Windows 10 Version 1803, Windows 10 Version 1709, Windows 10 Version 1703,
Windows 10 Version 1607, Windows 10 (RTM), Windows Server 2012, Windows
Server 2012 R2, Windows 8.1, or Windows RT 8.1. This bulletin is based on
ADV190008.
 Impact: Defense in Depth
 No Vulnerabilities Reported

 Affected Products: Adobe Flash Player, CCleaner, Skype, GoToMeeting, Zoom
 Description: Non-Security updates may include critical bug fixes and feature updates.
Depending on what version you are updating from a Non-Security update could include
security fixes from previous updates you have not yet applied. Ivanti recommends
updating 3rd party applications as regularly as possible to ensure additional security
threats are not exposed.
Non-security Updates

Between Patch Tuesday’s
New Product Support: Slack MSI
Security Updates: 7-Zip (1), Adobe Acrobat (1), CCleaner (2), Google Chrome (3),
CoreFTP (1), DropBox (2), Firefox (1), Firefox ESR (1), Foxit Reader (2), Foxit Phantom
PDF (1), FileZilla (2), GOM Player (1), LibreOffice (1), Malwarebytes (1), Microsoft (2),
Nitro Pro (3), Node.JS (7), Notepad++ (1), Opera (3), RealTimes (1), Slack (1),
Thunderbird (3), TortoiseGit (1), Tomcat (1), TeamViewer (1), WinSCP (1), Wireshark (3),
Webex Productivity Tools (1), WinRAR (1)
Non-Security Updates: Audacity (1), BlueJeans (1), Google Drive File Stream (1),
GoodSync (3), GoToMeeting (2), Microsoft (46), NVivo (1), Power BI Desktop (1), Plex
Media Player (2), PSPad (1), R for Windows (1), Royal TS (1), Skype (2), Snagit (1),
TreeSize Free (2), Visual Studio Code (2), XnView (1), Zoom Client (2), Zoom Outlook
Plugin (2)

Third Party CVE Information
 Google Chrome 72.0.3626.121
 CHROME-246, QGC7203626121
 WinRAR 5.70
 WRAR-017, QWRAR570
 Fixes 4 Vulnerabilities: CVE-2018-20250, CVE-2018-20251, CVE-2018-
20252, CVE-2018-20253
 Webex Productivity Tools 33.0.7.23
 WPT-026, QWPT330723
 Thunderbird 60.5.1
 TB19-6051, QTB6051
 Fixes 4 Vulnerabilities: CVE-2018-18335, CVE-2018-18356, CVE-2018-
18509, CVE-2019-5785

Third Party CVE Information (cont)
 Node.JS 6.17.0 (Maintain)
 NOJSM-003, QNODEJSM6170
 Fixes 3 Vulnerabilities: CVE-2019-1559, CVE-2019-5737, CVE-2019-5739
 Node.JS 10.15.2 (LTS Upper)
 NOJSLU-006, QNODEJSLU10152
 Node.JS 8.15.1 (LTS Lower)
 NOJSLL-004, QNODEJSLL8151
 Fixes 2 Vulnerabilities: CVE-2019-1559, CVE-2019-5737
 Node.JS 11.10.1 (Current)
 NOJSC-010, QNODEJSC11101

Third Party CVE Information (cont)
 Adobe Acrobat and Reader
 APSB19-13, QARDC1901020098MUI, QARDC1901020098,
QARDC1701130127MUI, QARDC1500630482MUI, QADC1901020098,
QADC1701130127, QADC1500630482
 Wireshark 2.6.7
 WIRES-089, QWIRES267
 Fixes 2 Vulnerabilities: CVE-2019-9208,CVE-2019-9209
 Wireshark 2.4.13
 WIRES-090, QWIRES2413
 Fixes 2 Vulnerabilities: CVE-2019-9208,CVE-2019-9209

Nashville | April 29-May 2, 2019 | Interchange.ivanti.com
Engage in
Deep-Dive Technical
Training
Meet One-on-One
with Product
Experts
Gain Product
Roadm ap
Insights
Hear from
IT Industry
Experts
Network with
Leaders and
Peers
Early Bird: $1,495 til March 29
$100 off with code INTWEBNASH19

March 2019 Patch Tuesday Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to March 2019 Patch Tuesday Analysis

Similar to March 2019 Patch Tuesday Analysis (20)

More from Ivanti

More from Ivanti (20)

Recently uploaded

Recently uploaded (20)

March 2019 Patch Tuesday Analysis

Editor's Notes