[German]Microsoft has released some 'Microsoft Security Update Releases' for Patchday and afterwards. The last one is from yesterday. Here is an overview about serveral security notifications I've received within the last 2 weeks. I've added also a list of current servicing stack updates and an overview about Spectre mitigation.
Advertising
Security notification CVE-2019-1105 (June 20, 2019)
On June 20, 2019, Microsoft released the security warning CVE-2019-1105. This is a spoofing vulnerability in Microsoft's Outlook app for Android. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.
An attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and execute scripts in the security context of the current user. A security update for the Outlook app fixes the vulnerability. After that, the attack in Outlook for Android can no longer be used by specially crafted e-mail messages.
Microsoft Security Advisory Notification (June 14 2019)
Microsoft has already published the following information in a Security Advisory Notification as of June 14, 2019.
ADV990001: Current Servicing Stack Updates (SSUs)
Reason for notification: An SSU has been released for Windows 10 Version 1903 and Windows Server Version 1903 (Server Core Installation). The list of SSUs is maintained by Microsoft under ADV990001. Here is a quick overview, which was sent to me by blog reader Karl about patchlists.org – where the updates for version 1607, 1809 and 1903 refer to Windows 10 clients as well as the Windows Server counterparts.
- KB955430, 28. Apr. 2009, Win Vista SP2 / Server 2008 SP2 (6.0.x)
- KB4490628, 12. Mar 2019, Win 7 SP1 / Server 2008 R2 SP1 (+Embedded) (6.1.x)
- KB3173426, 12. Jul 2016, Win 8 / Server 2012 (6.2.x)
- KB3173424, 12. Jul 2016, Win 8.1 / Server 2012 R2 (6.3.x)
- KB4498353, 14. May 2019, Win 10 1507 SAC / LTSC (10.10240.x)
- KB4035632, 08. Aug 2017, Win 10 1511 SAC (10.10586.x)
- KB4503537, 11. Jun 2019, Win 10 1607 SAC / LTSC / Server 2016 LTSC (10.14393.x)
- KB4500640, 14. May 2019, Win 10 1703 SAC (10.15063.x)
- KB4500641, 14. May 2019, Win 10 1709 SAC / Server 2016 SAC (+ARM64) (10.16299.x)
- KB4497398, 14. May 2019, Win 10 1803 SAC / Server 2016 SAC (+ARM64) (10.17134.x)
- KB4504369, 11. Jun 2019, Win 10 1809 SAC / Server 2019 LTSC / SAC (+ARM64) (10.17763.x)
- KB4498523, 29. May 2019, Win 10 1903 RP (+ARM64) (10.18362.x)
Here are some hints on what certain SSUs for Windows 10 fix.
Advertising
Windows 10 V1903
For SSU SSU KB4498523 for Windows 10 V1903 applies:
- Fixes an issue that can prevent user profiles from loading correctly when you restart after installing certain updates.
- Fixes an issue that can occur when a language pack is installed while an update is pending. The update might not install and you might receive the error "0x800f0982".
- Fixes an issue that can occur when an optional feature, such as .Net Framework 3.5, is installed while an update is pending. The function installation may fail, and you may receive a "0x800F080C" error.
- Fixes an issue that might prevent updates from being installed after the /resetbase command is run in DISM.
So a number of bugs in Windows Update with SSU have been fixed. .
Windows 10 V1809
For SSU KB4504369 for Windows 10 V1809 applies: Fixes an issue that can occur when a language pack is installed while an update is pending. The update may not install and you may receive the error "0x800f0982".
Windows 10 V1607
For SSU KB4503537 for Windows 10 V1607 applies: Fixes an issue that can prevent user profiles from loading correctly when you restart after installing certain updates.
ADV180002: Guidelines for Spectre Mitigation
Microsoft Security Advisory ADV180002 (Guidance to mitigate speculative execution side-channel vulnerabilities, released first at January 3, 2018) the table in FAQ #9 for 14.6.2019 has been supplemented with information for ARM processors.
In addition to Microsoft's information, I have the following list of patches for the various Spectre vulnerabilities from blog reader Karl (thank you for that). Maybe someone can use it.
| Spectre 1, 2, 3, 3a, 4 (SSBD), | L1TF, MDS, Retpoline |
| Spectre v1/2
Server |
|
| Server 2008 SP2 | KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS |
| Server 2008 R2 SP1 | KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS |
| Server 2012 | KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS |
| Server 2012 R2 U1 | KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS |
| Server 2016 1607/Core | KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6 |
| Server 2016 1709 Core | KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6 |
| Server 2016 1803 Core | KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4 |
| Server 2019 1809/Core | included in OS + Registry AMD / Intel |
| Server 2019 1903 Core | included in OS + Registry AMD / Intel |
| Clients | |
| Windows Vista SP2 | KB4090450[0] > KB4093478[1] + Registry AMD / Intel + BIOS (out of support) |
| Windows 7 SP1 | KB4056897[0] > KB4338821[1] + Registry AMD / Intel + BIOS |
| Windows 8.0 | KB4088880[0] > KB4338816[1] + Registry AMD / Intel + BIOS (out of support) |
| Windows 8.1 U1 | KB4056898[0] > KB4338831[1] + Registry AMD / Intel + BIOS |
| Windows 10 1507 LTSC | KB4345455[1] + Registry AMD / Intel + BIOS or 2018-05 KB4091666-v5 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1511 | KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support) |
| Windows 10 1607 LTSC | KB4056890[0] > KB4132216 + KB4338822[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091664-v6 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1703 | KB4132649 + KB4338827[1] + Registry AMD / Intel + BIOS or 2018-10 KB4091663-v6 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1709 | KB4056892[0] > KB4131372 + KB4338817[1] + Registry AMD / Intel + BIOS 2018-10 KB4090007_v6 (Home / Pro out of support) |
| Windows 10 1803 | KB4338853 + KB4340917[1] + Registry AMD / Intel + BIOS or 2018-10 KB4100347-v4 |
| Windows 10 1809 | included in OS |
| Windows 10 1903 | included in OS |
| Windows 10 20H1 | included in OS |
| Spectre NG v3, 3a, 4 (SSBD) | [3], L1TF |
| Server | |
| Server 2008 SP2 | KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS |
| Server 2008 R2 SP1 | KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS |
| Server 2012 | KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS |
| Server 2012 R2 U1 | KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS |
| Server 2016 1607/Core | KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3 |
| Server 2016 1709 Core | KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3 |
| Server 2016 1803 Core | KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3 |
| Server 2019 1809/Core | BIOS or 2019-02 KB4465065-v3 + Registry AMD / Intel |
| Server 2019 1903 Core | included in OS + Registry AMD / Intel |
| Clients | |
| Windows Vista SP2 | KB4480968[0] > KB4499180[1] + Registry AMD / Intel + BIOS (out of support) |
| Windows 7 SP1 | KB4480970[0] > KB4093478[1] + Registry AMD / Intel + BIOS |
| Windows 8.0 | KB4480975[0] > KB4499158[1] + Registry AMD / Intel + BIOS (out of support) |
| Windows 8.1 U1 | KB4480963[0] > KB4499165[1] + Registry AMD / Intel + BIOS |
| Windows 10 1507 LTSC | KB4467680[0] > KB4471323[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346088-v2 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1511 | KB4035632 + KB4093109[1] + Registry AMD / Intel + BIOS (Home / Pro / Ent / Edu out of support) |
| Windows 10 1607 LTSC | KB4467691[0] > KB4494440[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346087-v3 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1703 | KB4467696[0] > KB4499181[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346086-v3 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1709 | KB4467686[0] > KB4499179[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346085-v3 (Home / Pro out of support) |
| Windows 10 1803 | KB4467702[0] > KB4499167[1] + Registry AMD / Intel + BIOS or 2019-02 KB4346084-v3 |
| Windows 10 1809 | KB4467708[0] > KB4471332[1] + Registry AMD / Intel + BIOS or 2019-02 KB4465065-v3 |
| Windows 10 1903 | included in OS |
| Windows 10 20H1 | included in OS |
| MDS Server |
|
| Server 2008 SP2 | Registry AMD / Intel + BIOS |
| Server 2008 R2 SP1 | Registry AMD / Intel + BIOS |
| Server 2012 | Registry AMD / Intel + BIOS |
| Server 2012 R2 U1 | Registry AMD / Intel + BIOS |
| Server 2016 1607/Core | Registry AMD / Intel + BIOS or 2019-05 KB4494175 |
| Server 2016 1709 Core | Registry AMD / Intel + BIOS or 2019-05 KB4494452 |
| Server 2016 1803 Core | Registry AMD / Intel + BIOS (KB Microcode not yet available) |
| Server 2019 1809/Core | Registry AMD / Intel + BIOS (KB Microcode not yet available) |
| Server 2019 1903 Core | included in OS |
| Clients | |
| Windows Vista SP2 | Registry AMD / Intel + BIOS |
| Windows 7 SP1 | Registry AMD / Intel + BIOS |
| Windows 8.0 | Registry AMD / Intel + BIOS |
| Windows 8.1 U1 | Registry AMD / Intel + BIOS |
| Windows 10 1507 LTSC | Registry AMD / Intel + BIOS or 2019-05 KB4494454 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1511 | (out of support) |
| Windows 10 1607 LTSC | Registry AMD / Intel + BIOS or 2019-05 KB4494175 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1703 | Registry AMD / Intel + BIOS or 2019-02 KB4494453 (Home / Pro / Ent / Edu out of support) |
| Windows 10 1709 | Registry AMD / Intel + BIOS or 2019-05 KB4494452 (Home / Pro out of support) |
| Windows 10 1803 | Registry AMD / Intel + BIOS (KB Microcode not yet available) |
| Windows 10 1809 | Registry AMD / Intel + BIOS (KB Microcode not yet available) |
| Windows 10 1903 | included in OS |
| Windows 10 20H1 | included in OS |
| Retpoline (<=Skylake)/ | ImportOptimization (>Skylake) |
| Server 2019 1809/Core | 2019-05 KB4494441 + Registry AMD / Intel |
| Server 2019 1903 Core | included in OS + Registry AMD / Intel |
| Windows 10 1809 | 2019-05 KB4494441 |
| Windows 10 1903 | included in OS |
SP = Service Pack, U = Update
[0] superseded, bugged should be declined
[1] or later cumulative security quality update. READ RESPECTIVE UPDATE HISTORY KNOWN ISSUES BEFORE APPLYING
[2] Exceptions apply to clients with AMD CPUs that need Registry AMD, refer MS advisories
[3] SSBD is never enable by default without Registry Intel, refer MS advisories
Registry values: Server: kb4072698 Clients: KB4073119
Other advisories June 11, 2019
**************************************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 11, 2019
**************************************************************************************
Security Advisories Released or Updated on June 11, 2019
====================================================================
* Microsoft Security Advisory ADV190015
– ADV190015 | June 2019 Adobe Flash Security Update
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190015
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0
* Microsoft Security Advisory ADV190016
– ADV190016 | Bluetooth Low Energy Advisory
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190016
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0
* Microsoft Security Advisory ADV190017
– ADV190017 | Microsoft HoloLens Remote Code Execution Vulnerabilities
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190017
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0
* Microsoft Security Advisory ADV190018
– ADV190018 | Microsoft Exchange Server Defense in Depth Update
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190018
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0
* Microsoft Security Advisory 190013
– ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling
vulnerabilities
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013
– Reason for revision: Microsoft is announcing that security updates 4503273
(monthly rollup) and 4503287 (security only), released on June 11, 2019 for
supported x64-based versions of Windows Server 2008, provide protections against
the Microarchitectural Data Sampling vulnerabilities addressed in this advisory.
– Originally posted: May 14, 2019
– Updated: June 11, 2019
– Version: 2.0
* Microsoft Security Advisory 190009
– ADV190009 | SHA-2 Code Sign Support Advisory
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190009
– Reason for revision: To correct an issue with the SHA-2 support for MSI files,
Microsoft is re-releasing KB4474419 for Windows Server 2008 Service Pack 2.
Microsoft recommends that customers running Windows Server 2008 Service Pack 2
reinstall update 4474419.
– Originally posted: March 13, 2019
– Updated: June 11, 2019
– Version: 3.0
****************************************************************************
Title: Microsoft Security Update Releases
Issued: June 11, 2019
****************************************************************************
Summary
=======
The following CVE has undergone a major revision increment: CVE-2017-8533
Revision Information:
=====================
– CVE-2017-8533
– Version: 5.0
– Reason for Revision: To comprehensively address CVE-2017-8533 for supported
editions of Windows 7 and Windows Server 2008 R2, Microsoft is releasing security
updates 4503292 (Monthly Rollup) and 4503269 (Security Only). We recommend that
customers running supported editions of these operating systems install the
appropriate June 2019 update to be fully protected from this vulnerability.
– Originally posted: June 13, 2017
– Updated: June 11, 2019
– Aggregate CVE Severity Rating: Important
