13
Mar 19

Patch Tuesday, March 2019 Edition

Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it’s time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today’s patch batch without any help from users.

One interesting patch from Microsoft this week comes in response to a zero-day vulnerability (CVE-2019-0797) reported by researchers at Kaspersky Lab, who discovered the bug could be (and is being) exploited to install malicious software.

Microsoft also addressed a zero day flaw (CVE-2019-0808) in Windows 7 and Windows Server 2008 that’s been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google’s Chrome browser. A security alert from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.

If you use Chrome, take a moment to make sure you have this update and that there isn’t an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart.

This is the third month in a row Microsoft has released patches to fix high-severity, critical flaws in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”).

These are severe “receive a bad packet of data and get owned” type vulnerabilities. But Allan Liska, senior solutions architect at security firm Recorded Future, says DHCP vulnerabilities are often difficult to take advantage of, and the access needed to do so generally means there are easier ways to deploy malware.

The bulk of the remaining critical bugs fixed this month reside in Internet Explorer, Edge and Office. All told, not the craziest Patch Tuesday. Even Adobe’s given us a month off (or at least a week) patching critical Flash Player bugs: The Flash player update shipped this week includes non-security updates.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A good backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Further reading:

Qualys

SANS Internet Storm Center

Ask Woody

ZDNet

Tags: , , , , , , , , ,

44 comments

  1. The Sunshine State

    Is “Servicing stack update” (KB4490628) for Windows 7 SP1″ more Microsoft tracking?

    • The Servicing Stack update is not a telemetry update; it is necessary to ensure that you’ll receive the SHA-2 -based patches in the future. (I believe those start in a couple of months for Windows 7/Server 2008 R2.)

      For those not seeing the Servicing Stack update – you won’t see it until you apply or hide everything else in the queue.

      • My Windows 7 Ultimate 64 bit, update is trying to install that KB number again, despite showing that it is already installed successfully. MS updates are sure getting buggy.

        • Interesting…as Arte Johnson used to say. I also have 7/64 and usually wait until Friday or Saturday to install the updates. This month, the downloads from the Microsoft Update Catalog were slow and spasmodic…which I don’t recall happening before.

    • It seems to do quite a bit, people tend to say it’s quite a large topic to cover. From what I read on a forum post and the Microsoft-issued update log, one function is it assisting during Windows Updates. It’s also supposed to fix update corruptions.

  2. Eric Rosenberg

    Of my two machines automatically updated, one is fine, the other is DOA. I can’t past the BIOS to change the boot sequence to boot up from the recovery USB. It hangs on the manufacturer (HP) logo. No Windows, no nothing. Not sure what to do next!

    • Windows 10 or 7? Try holding F8 as it boots to see if you can get into safe mode. There are also tons of Microsoft forum posts that can help.

    • Getting into BIOS happens before the OS even starts to load. Disconnect all peripherals (except keyboard and mouse) and make sure you are hitting the correct key (F10, F1, F2, Escape) to get into BIOS. May need to turn off “Secure Boot” to change the boot order.

    • There could be a peripheral (external hard drive, printer, etc.) plugged into the computer, which is causing things to get stuck. Try unplugging all of the peripherals and boot up again.

      Good luck.

    • HP used to include some pretty good recovery software for such events. If you can get to the HP web site for your model of PC, you could check the user manual for the procedure. Windows 10 may have changed all that, because it has some pretty good recovery options as well – but there are many different avenues to attack the subject, so the advice here to consult the MS support site are very valid.

    • Disconnect your PSU, and Take out your CMOS battery for 5-10 minutes and put it back. That’s what I had to do.

  3. I was called by “Microsoft” yesterday (really a robo call) that explained there were critical patches and they even referenced the Microsoft site and phone number. I had the option of talking to an engineer so I pressed 1. Some one picked up and asked how they could help me. After I asked which department they worked in at Microsoft they hung up. I assume they would’ve tried remoting in or asking me for sensitive information.

  4. I had no issues with this month’s patches/updates being processed properly on either W7U or W10H machines, thankfully.

  5. KB4490628 is trying to install again, despite the history showing it installed successfully already. I’m not sure it is worth a call to MS to even bother with it. I’ll just leave it in the queue for a while to see if MS ships another fix for a buggy update. Seems that is the MS way now days – send buggy updates then send a fix afterward – geeze!

    At least I didn’t have to contend with that 1809 disaster that my sister had to deal with on Windows 10!

  6. I did the auto-install of the updates on my HP h9-1183 running Win7 Premium and it killed my video. I was able to view the usual menu with Ctrl-Alt-Delete, but aside from that it was a black screen (no cursor) after Windows loaded. All this was preceded by Chrome failing to run (looks like it is up to date, per your warning), at which point I rebooted and that’s when the video failed. Rolling back the security patches (4489878 and 4474419) restored the video (and Chrome).

    • Allan,
      If your video failed how were you able to back out the two updates? Safe mode?

      • John, correct, rebooted in safe and then did the roll back. And all I had to roll back were the security patches. Might have gotten away with just one of the two, but haven’t tried individual installs of each to see if just one is the offending update, or if it’s both.

  7. The correct Google Chrome version is 73.0.3683.75 as of today. On a side note, I don’t get an arrow on the address bar, or any other indication that Chrome has an update pending. My update notifications usually come from US-CERT via email. I usually click on the Hamburger -> Help -> About Google Chrome on all OS flavors to perform the update.

    So far no problems detected on Windows 10 Enterprise from this update.

    • Thanks for that! I didn’t realize, and got caught with my pants down – so to speak. Chrome is usually better than that. Not even my software updater caught it.

  8. This patch caused lots of problems on my laptop.
    The first was a series of repeated error messages about being unable to access the wacom driver. I eventually had to plug a wacom tablet in to get past those, but when the desktop started to appear it was extremely slow.

    It’s a little better now, but still very slow to boot up and shut down with noticeable lag opening programs like Word and Gimp, and in opening files with those programs.

    I haven’t tried to use any tablets yet. Word threw up an error when I first tried to use it, but eventually started to run.

    And, of course, the whole process made me late for work because I’d only intended to turn on for 5 mins to google something. 45mins later I was able to power down and go out.

    It’s an HP G50 laptop

  9. Immediately after Tuesday’s update, a lot of my text (in email and on various sites) appears faded and portions of the letters are missing to the point it is unreadbale. Anyone else have this problem or know a fix?

  10. This patch is killing me. Two machines running Win7 Pro on automatic updates have hung in an endless loop of “Configuring Windows – Do Not Turn Your Computer Off” warning messages. The machines never actually boot …

    • At this point I’m reasonably convinced that Microsoft is … maybe not directly sabotaging Windows 7, but being so incredibly awful about support and quality and regression-checking updates that it’s reasonable to believe that they’re punishing anyone who has the temerity to not switch to Windows 10 on their schedule.

      • Microsoft issued a reminder among those KBs that states the Win 7 will be out of support since February 2020.
        I’ve dumped SHA stack KBs though, as when I figure out that I need them, I know where to get them.

    • Had same problem. CTRL-ALT-DELETE gets you in.

  11. As far as DHCP abuse goes, many business-grade switches have a function that blocks rogue DHCP servers. It’s a good idea to use this functionality regardless of this specific issue.

  12. I’m curious what problems enterprise users are having if they do a “one shot” patch application ot all their Microsoft product. Are the problems mainly browser related, small components, or all over the map? How many of you are able to apply all patches simultaneously without incident?

  13. PC killed (win 7 64). Thanks to Microsabotagesoft. After UEFI it goes into system repair loop. No safe mode. SFC and offline iso DISM won’t work.

  14. Just out of curiosity… (No sarcasm implied) why are ya’ll still running Windows 7?

    • Windows 7 isn’t perfect, but it was one of the most stable, secure, and easily used versions of Windows, when it was introduced. A great deal of money and time was spent integrating Windows 7 in the modern workforce.

      Entire industries evolved around Windows 7, don’t forget. Much of “Internet 2.0” was built on computers running Windows 7. The growth of healthcare informatics was integrated with secure software designed for Windows 7. The proliferation of high speed Internet was fueled, in part, by inexpensive computers in every school and small business, all on the back of Windows 7.

      Since Windows 8 and 10 are cosmetic updates to the user interface and fairly minor changes that don’t affect the core purpose or functionality of Windows, it’s hard to argue for major investment into converting older systems to use 8 or 10.

      Many of these readers may want to upgrade their systems to Windows 8 or 10, but they don’t want to abandon other software or equipment that were designed to be used with Windows 7.

      There’s no sense in eating a hen that still lays eggs. The same goes for cows that still produce milk and replacing Windows 7.

    • It started out with Windows 10 being a complete dumpster fire when released. My honest impression is that it was so bad that I thought it was Microsoft’s passive-aggressive way to get out of the desktop operating systems business. There’s nothing that says “professional work environment” like Microsoft whoring out your desktop for the latest crapware version of Candy Crush or whatever. They took all of the horrible problems associated with their “monthly service pack” approach to Windows Update and somehow made those a hundred times worse (and ten times slower) with a container store system that breaks every few months and almost always requires 1-2 technician-hours to fix (we’re getting better at automating this, but the amount of work has been insane – it’s like all of the tools involved were specifically designed to resist scripting). The UX is somewhat better than Windows 8/8.1, in a desultory way (“Ok. Fine. You can have your start menu back. But our feelings were really hurt, so we’ll still use tiles for no obvious reason and bury the far more useful Pin-to-Taskbar function another pop-out menu deep.”). Then there’s the whole “you’re getting a mandatory point-release OS update every six months, no matter how stupid that is in a business environment that’s more concerned about stability and UI continuity than it is about having a better version of Minesweeper”… or you can buy Enterprise Edition ($$$) plus Software Assurance ($$$) and we’ll deign to let your use the LTSB version that we made that only you ridiculous troglodytes who insist on avoiding the trendy new continuous release paradigm (translation: everything is early beta quality, forever, get used to it) have any interest in.

      It’s like the executives at Microsoft went to an astronomical degree of trouble and expense to graft more arms onto themselves so they could give us the finger with eight or nine hands at once instead of just two. So, please humbly pardon us if we weren’t just aching to get with the program.

  15. Running Windows 7 Home Prem 32 Bit. Was unable to run System Restore after January 2019 updates. Had to restore back to a system image using a recovery disc & then did not try to re-install January updates. Had no problem with Feb updates, but ran into the same system restore problems with March updates & so I restored back to a system image once again. Jan & March updates causing slow down issues & some funky issues with my desktop Icons. Do not like these updates disabling my System Restore, thus I am doing a complete Backup & System Image from now on immediately before installing any more Microsoft Updates so if I need to restore my system using a system image, I wont lose a bunch of data

  16. New windows updates (March 12/2019)has given me the blue screen with the notation (Driver IRQL not less or equal(afd.sys) and system reboots. Have uninstalled update and everything works fine. Installed on 3 different occasions and each time I get the blue screen, so I am left with not installing this update. What’s the fix if any?

  17. Issue resolved but not exactly sure how I did it. I did 3 things…………disconnected all USB ports………printer may have been wonky…………I installed a new update for java………..I rebooted computer 2 times…………all done after new update installed ……….one of these worked………..not sure which one did the trick.

  18. Question:
    Is a machine “protected” from Google Chrome Vulnerability as long as this Microsoft update KB4489878 is installed or Google Chrome 72.0.3626.121?

  19. Much as I’d love to update this HP Windows 10 desktop machine, it’s been stuck at Windoze 10 v1703 forever. It cannot update to 1803 (at all, never mind the patch fixes) due to an issue with “Infineon TPM Professional Package can’t be uninstalled,” and if you can find that blasted thing on this machine, you’re a better man than I.

    All my other machines are fully up-to-date; this one is stuck in the weeds, despite many sessions of researching the problem on the Intertubes and trying various solutions: searching for certain folder names, filenames, MSConfigging and whatnot. Having MS tell me (in their error message) that I must manually uninstall the thing because their procedure cannot does not fill me with confidence. One of these days I’ll figure it out.

    • Have you tried to install 1809 directly through use of the MS creation tool to produce the updated image on a USB drive for installation? That worked (finally) for me on a Toshiba netbook with a 32Gb SSD after nothing else had, and 1809 installed properly that way.

  20. It can be difficult to find the coupon codes you want when you need them most. Here are some quality websites dedicated to finding discounts and collecting

Leave a comment