Updated: 21st March 2019
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797, CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683, CVE-2019-0754, CVE-2019-0757 and CVE-2019-0809).
Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.
I have updated the suggested installation order (below) to reflect this new information. Thank you.
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.
For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Photoshop CC: 1x priority3 CVE resolved
If you use the affected Adobe products; please install their remaining priority 3 updates when you can.
This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:
KB4489878 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
KB4489881 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
KB4489882 Windows 10 version 1607, Windows Server 2016
KB4489883 Windows 8.1, Windows Server 2012 R2 (Security-only update)
KB4489884 Windows Server 2012 (Security-only update)
KB4489885 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)
KB4489891 Windows Server 2012 (Monthly Rollup)
KB4489899 Windows 10 version 1809, Windows Server 2019
You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates.
News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)
Microsoft XML: CVE-2019-0756
Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772
Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809
Microsoft Active Directory: CVE-2019-0683
NuGet Package Manager Tampering Vulnerability: CVE-2019-0757
Windows Denial of Service Vulnerability: CVE-2019-0754
Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)
If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005
Please install the remaining updates at your earliest convenience.
As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:
Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs
Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.