March 2019 Windows and Office patches poke a few interesting places

Credit to Author: Woody Leonhard| Date: Wed, 13 Mar 2019 06:21:00 -0700

Patch Tuesday has come and gone, not with a bang but a whimper. As of this moment, early Wednesday morning, I don’t see any glaring problems with the 124 patches covering 64 individually identified security holes. But the day is yet young.

There are a few patches of note.

Microsoft says that two of this month’s security holes — CVE-2019-0797 and CVE-2019-0808 — are being actively exploited. The latter of these zero days is the one that was being used in conjunction with the Chrome exploit that caused such a kerfuffle last week, with Google urging Chrome browser users to update right away, or risk the slings of nation-state hackers. If you’ve already updated Chrome (which happens automatically for almost everybody), the immediate threat has been thwarted already.

These two security holes are Elevation of Privilege bugs, which means that a miscreant who’s already gotten into your system can use the bugs to move up to admin status. So if you’re in charge of systems that are susceptible to sophisticated attacks, these patches warrant concern. For everybody else, they’re not the stuff of Stephen King class nightmares.

As usual, Martin Brinkmann on ghacks.net has a thorough listing, the SANS ISC forum has a succinct chart, and Dustin Childs on the Zero Day Initiative blog offers many tech details.

The Win10 version 1809 cumulative update, KB 4489899, fixes the “crazy” performance drop in some games, including Destiny 2, that we encountered two weeks ago. However, it doesn’t fix the other bug introduced by the “second February” 1809 cumulative update, KB 4482887, which clobbers audio settings in specific circumstances:

After installing this update on machines that have multiple audio devices, applications that provide advanced options for internal or external audio output devices may stop working unexpectedly. This issue occurs for users that select an audio output device different from the “Default Audio Device”.

As erpster4 notes on Tenforums:

KB 4489899 causes that problem only if there are multiple audio outputs or playback devices for Realtek HD audio (speakers, realtek digital output [SPDIF], etc.) and the output selected is not the “default audio device.” If only the “Speakers” output is listed on the Sound properties playback tab for Realtek audio (usually on ALC2xx codecs), then KB 449899 is safe to install.

In addition, this month’s KB 4489899 doesn’t fix the MSXML 6 bug introduced by the first cumulative update in January:

After installing this update, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

Makes you wonder if 1809 will get the “ready for business deployment” imprimatur before 1903 hits the skids. Er, goes out the chute. That’s how it’s supposed to work, yes?

Here’s where the going gets a bit thick.

As explained in November, Microsoft is changing the way it’s signing patches for Win7. Starting in July, your Win7 machine has to understand SHA-2 encryption in order to receive new patches. (Yes, this is the same Win7 that’ll no longer receive new security patches next January.)

Microsoft released two SHA-2 related patches. KB 4490628 is a Servicing Stack Update — it fixes the part of Windows 7 that installs patches. KB 4474419 fixes Windows itself so it can handle SHA-2 encryption.

As @DrBonzo explains, and @PKCano reiterates, if you’re manually installing Win7 patches, you need the Servicing Stack Update KB 4490628 before you install this month’s patches. (If you let Windows Update install the patches, it’ll get installed first.) Then the Windows-only fix KB 4474419 can follow along any time before July.

If you’re installing the Win7 updates manually, there’s a specific installation sequence detailed by @PKCano that ensures the updates go in the correct order.

With all the love being showered on Windows 7 this week (including DirectX 12 for some games, and more annoying “Get Windows 10” nag screens), you might expect more sweetness and light for Office apps. Not so.

We only have six new Office security patches, to add to the 28 non-security patches from earlier this month: one for Office 2010 and five for various Server versions. Remarkably, there are no new security patches for Office 2013 or 2016, although we do have two new versions of Office Click-toRun: 15.0.5119.1000 for Office 2013; 14.0.7230.5000 for Office 2010.

Thanks to @PKCano, @DrBonz, @abbodi86 and many others who volunteer their help keeping the patching gremlins at bay.

Questions? Problems? Hit us on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss