{"id":14823,"date":"2019-03-13T06:30:04","date_gmt":"2019-03-13T14:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/13\/news-8572\/"},"modified":"2019-03-13T06:30:04","modified_gmt":"2019-03-13T14:30:04","slug":"news-8572","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/03\/13\/news-8572\/","title":{"rendered":"March 2019 Windows and Office patches poke a few interesting places"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security12-100734741-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Woody Leonhard| Date: Wed, 13 Mar 2019 06:21:00 -0700<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Patch Tuesday has come and gone, not with a bang but a whimper. As of this moment, early Wednesday morning, I don\u2019t see any glaring problems with the 124 patches covering 64 individually identified security holes. But the day is yet young.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are a few patches of note.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Microsoft says that two of this month\u2019s security holes \u2014\u00a0<\/span><a href=\"https:\/\/isc.sans.edu\/vuln.html?cve=2019-0797\" rel=\"nofollow\"><span style=\"font-weight: 400;\">CVE-2019-0797<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/isc.sans.edu\/vuln.html?cve=2019-0808\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">CVE-2019-0808<\/span><\/a><span style=\"font-weight: 400;\">\u00a0\u2014 are being actively exploited. The latter of these zero days is the one that was being used in conjunction with the Chrome exploit that <\/span><a href=\"https:\/\/www.askwoody.com\/2019\/google-comes-clean-on-that-emergency-security-patch-and-shows-how-it-was-used-to-trigger-a-windows-7-0day\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">caused such a kerfuffle last week<\/span><\/a><span style=\"font-weight: 400;\">, with Google urging Chrome browser users to update right away, or risk the slings of nation-state hackers. If you\u2019ve already updated Chrome (which happens automatically for almost everybody), the immediate threat has been thwarted already. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">These two security holes are Elevation of Privilege bugs, which means that a miscreant who\u2019s already gotten into your system can use the bugs to move up to admin status. So if you\u2019re in charge of systems that are susceptible to sophisticated attacks, these patches warrant concern. For everybody else, they\u2019re not the stuff of Stephen King class nightmares.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As usual, Martin Brinkmann on ghacks.net has a <\/span><a href=\"https:\/\/www.ghacks.net\/2019\/03\/12\/microsoft-windows-security-updates-march-2019-overview\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">thorough listing<\/span><\/a><span style=\"font-weight: 400;\">, the SANS ISC forum has a <\/span><a href=\"https:\/\/isc.sans.edu\/forums\/diary\/Microsoft+March+2019+Patch+Tuesday\/24742\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">succinct chart<\/span><\/a><span style=\"font-weight: 400;\">, and Dustin Childs on the Zero Day Initiative blog offers many <\/span><a href=\"https:\/\/www.thezdi.com\/blog\/2019\/3\/12\/the-march-2019-security-update-review\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">tech details<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The Win10 version 1809 cumulative update, <\/span><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4489899\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">KB 4489899<\/span><\/a><span style=\"font-weight: 400;\">, fixes the <\/span><a href=\"https:\/\/www.askwoody.com\/2019\/win10-1809-second-february-cumulative-update-kb-4482887-blamed-for-crazy-performance-drops-in-some-games\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">\u201ccrazy\u201d performance drop<\/span><\/a><span style=\"font-weight: 400;\"> in some games, including Destiny 2, that we encountered two weeks ago. However, it doesn\u2019t fix the other bug introduced by the \u201csecond February\u201d 1809 cumulative update, KB 4482887, which clobbers audio settings in specific circumstances:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">After installing this update on machines that have multiple audio devices, applications that provide advanced options for internal or external audio output devices may stop working unexpectedly. This issue occurs for users that select an audio output device different from the \u201cDefault Audio Device\u201d. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">As erpster4 <\/span><a href=\"https:\/\/www.tenforums.com\/windows-10-news\/128745-cumulative-update-kb4489899-windows-10-v1809-build-17763-379-mar-12-a-4.html\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">notes on Tenforums<\/span><\/a><span style=\"font-weight: 400;\">:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">KB 4489899 causes that problem only if there are multiple audio outputs or playback devices for Realtek HD audio (speakers, realtek digital output [SPDIF], etc.) and the output selected is <\/span><strong>not<\/strong><span style=\"font-weight: 400;\"> the &#8220;default audio device.&#8221; If only the &#8220;<\/span><span style=\"font-weight: 400;\">Speakers<\/span><span style=\"font-weight: 400;\">&#8221; output is listed on the Sound properties playback tab for Realtek audio (usually on ALC2xx codecs), then KB 449899 is safe to install.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition, this month\u2019s KB 4489899 doesn\u2019t fix the MSXML 6 bug introduced by the <\/span><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4480116\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">first cumulative update in January:<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">After installing this update, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as <\/span><strong>appendChild()<\/strong><span style=\"font-weight: 400;\">, <\/span><strong>insertBefore()<\/strong><span style=\"font-weight: 400;\">, and <\/span><strong>moveNode()<\/strong><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Makes you wonder if 1809 will get the &#8220;ready for business deployment&#8221; imprimatur before 1903 hits the skids. Er, goes out the chute. That&#8217;s how it&#8217;s supposed to work, yes?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here\u2019s where the going gets a bit thick. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">As <\/span><a href=\"https:\/\/www.computerworld.com\/article\/3322518\/microsoft-windows\/heads-up-a-critical-win7-server-2008-patch-coming-in-february-march-that-s-really-critical.html\" rel=\"noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">explained in November<\/span><\/a><span style=\"font-weight: 400;\">, Microsoft is changing the way it\u2019s signing patches for Win7. Starting in July, your Win7 machine has to understand SHA-2 encryption in order to receive new patches. (Yes, this is the same Win7 that\u2019ll no longer receive new security patches next January.) <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Microsoft released two SHA-2 related patches. <\/span><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4490628\/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">KB 4490628<\/span><\/a><span style=\"font-weight: 400;\"> is a Servicing Stack Update \u2014 it fixes the part of Windows 7 that installs patches. <\/span><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4474419\/sha-2-code-signing-support-update-for-windows-7-and-server-2008-r2\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">KB 4474419<\/span><\/a><span style=\"font-weight: 400;\"> fixes Windows itself so it can handle SHA-2 encryption.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As @DrBonzo <\/span><a href=\"https:\/\/www.askwoody.com\/forums\/topic\/march-2019-patch-tuesday-patches\/#post-341045\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">explains<\/span><\/a><span style=\"font-weight: 400;\">, and @PKCano reiterates, if you\u2019re manually installing Win7 patches, you need the Servicing Stack Update KB 4490628 before you install this month\u2019s patches. (If you let Windows Update install the patches, it\u2019ll get installed first.) Then the Windows-only fix KB 4474419 can follow along any time before July. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you\u2019re installing the Win7 updates manually, there\u2019s a specific installation sequence <\/span><a href=\"https:\/\/www.askwoody.com\/forums\/topic\/march-2019-patch-tuesday-patches\/#post-340940\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">detailed by @PKCano<\/span><\/a><span style=\"font-weight: 400;\"> that ensures the updates go in the correct order.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With all the love being showered on Windows 7 this week (including <\/span><a href=\"https:\/\/www.askwoody.com\/2019\/seven-semper-fi-win7-to-get-sha-2-encryption-for-patches-directx-12-for-games\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">DirectX 12 for some games<\/span><\/a><span style=\"font-weight: 400;\">, and more annoying \u201cGet Windows 10\u201d <\/span><a href=\"https:\/\/www.askwoody.com\/2019\/gwx-redux-were-going-to-get-upgrade-to-win10-nag-notices-in-win7\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">nag screens<\/span><\/a><span style=\"font-weight: 400;\">), you might expect more sweetness and light for Office apps. Not so.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We only have six new<\/span><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4491754\" rel=\"nofollow noopener\" target=\"_blank\"> <span style=\"font-weight: 400;\">Office security patches<\/span><\/a><span style=\"font-weight: 400;\">, to add to the 28 non-security patches from earlier this month: one for Office 2010 and five for various Server versions. Remarkably, there are no new security patches for Office 2013 or 2016, although we do have two new versions of Office Click-toRun: 15.0.5119.1000 for Office 2013; 14.0.7230.5000 for Office 2010.<\/span><\/p>\n<p><em><span style=\"font-weight: 400;\">Thanks to @PKCano, @DrBonz, @abbodi86 and many others who volunteer their help keeping the patching gremlins at bay.<\/span><\/em><\/p>\n<p><i><span style=\"font-weight: 400;\">Questions? Problems? Hit us on the <\/span><\/i><a href=\"https:\/\/www.askwoody.com\/2019\/details-emerging-on-the-march-2019-patch-tuesday-trove\/\" rel=\"nofollow noopener\" target=\"_blank\"><i><span style=\"font-weight: 400;\">AskWoody Lounge<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">.<\/span><\/i><\/p>\n<p><a href=\"https:\/\/www.computerworld.com\/article\/3365218\/march-2019-windows-and-office-patches-poke-a-few-interesting-places.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security12-100734741-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Woody Leonhard| Date: Wed, 13 Mar 2019 06:21:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p><span style=\"font-weight: 400;\">Patch Tuesday has come and gone, not with a bang but a whimper. As of this moment, early Wednesday morning, I don\u2019t see any glaring problems with the 124 patches covering 64 individually identified security holes. But the day is yet young.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are a few patches of note.<\/span><\/p>\n<h2><strong>Two zero days<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Microsoft says that two of this month\u2019s security holes \u2014\u00a0<\/span><a href=\"https:\/\/isc.sans.edu\/vuln.html?cve=2019-0797\" rel=\"nofollow\"><span style=\"font-weight: 400;\">CVE-2019-0797<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/isc.sans.edu\/vuln.html?cve=2019-0808\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">CVE-2019-0808<\/span><\/a><span style=\"font-weight: 400;\">\u00a0\u2014 are being actively exploited. The latter of these zero days is the one that was being used in conjunction with the Chrome exploit that <\/span><a href=\"https:\/\/www.askwoody.com\/2019\/google-comes-clean-on-that-emergency-security-patch-and-shows-how-it-was-used-to-trigger-a-windows-7-0day\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">caused such a kerfuffle last week<\/span><\/a><span style=\"font-weight: 400;\">, with Google urging Chrome browser users to update right away, or risk the slings of nation-state hackers. If you\u2019ve already updated Chrome (which happens automatically for almost everybody), the immediate threat has been thwarted already. <\/span><\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3365218\/march-2019-windows-and-office-patches-poke-a-few-interesting-places.html#jump\">To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,10909,714,10525],"class_list":["post-14823","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-microsoft-office","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14823"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14823\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}