Выпущены обновления безопасности Microsoft за март 2019
Компания Microsoft выпустила обновления безопасности для следующих продуктов: Windows, Windows Server, Microsoft Edge, Internet Explorer, Office, SharePoint Server, Visual Studio, Team Foundation Server, .NET Core SDK, NuGet, Mono Framework, Chakra Core и Adobe Flash Player.
Сводная информация по количеству и типу уязвимостей в соответствующих продуктах приведена на графике ниже:
Информация об уровне критичности, потенциальном ущербе и соответствующих обновлениях, закрывающих данные уязвимости, представлена в таблице ниже:
| Product Family | Maximum Severity | Maximum Impact | Associated KB Articles and/or Support Webpages |
| Windows 10 v1809, v1803, v1709, v1703, v1607, Windows 10 for 32-bit Systems, and Windows 10 for x64-based Systems (not including Edge) | Critical | Remote Code Execution | Windows 10 v1809 Security Update: 4489899
Windows 10 v1803 Security Update: 4489868 Windows 10 v1709 Security Update: 4489886 Windows 10 v1703 Security Update: 4489871 Windows 10 v1607 Security Update: 4489882 Windows 10 Security Update: 4489872 |
| Windows Server 2019, Windows Server 2016, and Server Core installations (2019, 2016, v1803, and v1709) | Critical | Remote Code Execution | Windows Server 2019 Security Update: 4489899
Windows Server 2016 Security Update: 4489882 Windows Server, version 1803 Security Update: 4489868 Windows Server, version 1709 Security Update: 4489886 |
| Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008 | Critical | Remote Code Execution | Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 Monthly Rollup: 4489881
Windows 8.1 and Windows Server 2012 R2 Security Only: 4489883 Windows Server 2012 Security Only: 4489884 Windows Server 2012 Monthly Rollup: 4489891 Windows 7 and Windows Server 2008 R2 Monthly Rollup: 4489878 Windows 7 and Windows Server 2008 R2 Security Only: 4489885 Windows 7 and Windows Server 2008 R2 Security Update: 4474419 Windows Server 2008 Monthly Rollup: 4489880 Windows Server 2008 Security Only: 4489876 |
| Microsoft Edge | Critical | Remote Code Execution | Microsoft Edge on Windows 10 v1809 and Microsoft Edge on Windows Server 2019 Security Update: 4489899
Microsoft Edge on Windows 10 v1803 Security Update: 4489868 Microsoft Edge on Windows 10 v1709 Security Update: 4489886 Microsoft Edge on Windows 10 v1703 Security Update: 4489871 Microsoft Edge on Windows Server 2016 and Microsoft Edge on Windows 10 v1607 Security Update: 4489882 Microsoft Edge on Windows 10 Security Update: 4489872 |
| Internet Explorer | Critical | Remote Code Execution | Internet Explorer 11 on Windows 10 v1809 and Internet Explorer 11 on Windows Server 2019 Security Update: 4489899
Internet Explorer 11 on Windows 10 v1803 Security Update: 4489868 Internet Explorer 11 on Windows 10 v1709 Security Update: 4489886 Internet Explorer 11 on Windows 10 v1703 Security Update: 4489871 Internet Explorer 11 on Windows Server 2016 and Internet Explorer 11 on Windows 10 v1607 Security Update: 4489882 Internet Explorer 11 on Windows 10 Security Update: 4489872 Internet Explorer 9 on Windows Server 2008, Internet Explorer 11 on Windows 7, Internet Explorer 11 on Windows Server 2008 R2, Internet Explorer 11 on Windows 8.1, Internet Explorer 11 on Windows Server 2012 R2, and Internet Explorer 10 on Windows Server 2012 IE Cumulative: 4489873 Internet Explorer 10 on Windows Server 2012 Monthly Rollup: 4489891 Internet Explorer 11 on Windows 7 and Internet Explorer 11 on Windows Server 2008 R2 Monthly Rollup: 4489878 Internet Explorer 9 on Windows Server 2008 Monthly Rollup: 4489880 |
| Microsoft Office-related software (including SharePoint) | Important | Remote Code Execution | Microsoft Lync Server 2013 July 2018 Update: 2809243 Microsoft Office 2010 Service Pack 2 (64-bit editions): 4462226 Microsoft Office 2010 Service Pack 2 (32-bit editions): 4462226Microsoft SharePoint Enterprise Server 2016: 4462211 Microsoft SharePoint Foundation 2013: 4462208 |
| .NET Core SDK, Nuget, and Mono Framework | Important | Tampering | Microsoft .NET and .NET Core downloads: https://dotnet.microsoft.com/download |
| Visual Studio | Important | Remote Code Execution | Microsoft Visual Studio downloads https://visualstudio.microsoft.com/downloads/ |
| ChakraCore | Critical | Remote Code Execution | ChakraCore is the core part of Chakra, the high-performance JavaScript engine that powers Microsoft Edge and Windows applications written in HTML/CSS/JS. More information is available at https://github.com/Microsoft/ChakraCore/wiki and https://github.com/Microsoft/ChakraCore/releases/ |
| Adobe Flash Player | Low | Defense in Depth | Adobe Flash Player Security Update: 4489907 Adobe Flash Player Advisory: ADV190008 |
| Team Foundation Server | Low | Spoofing | Team Foundation Server is now called Azure DevOps Server. Find more information on Azure DevOps Server here: https://docs.microsoft.com/en-us/azure/devops/server/? view=azure-devops |
Обратите внимание
На следующие уязвимости и обновления безопасности следует обратить особое внимание:
Windows/Windows Server
CVE-2019–0726 — Windows DHCP Client Remote Code Execution Vulnerability
CVE-2019–0797 — Win32k Elevation of Privilege Vulnerability (Exploitation Detected! )
CVE-2019–0808 — Win32k Elevation of Privilege Vulnerability (Exploitation Detected! )
CVE-2019–0754 — Windows Denial of Service Vulnerability (Publicly Disclosed!)
Microsoft Edge/Internet Explorer
CVE-2019–0667 — Windows VBScript Engine Remote Code Execution Vulnerability
CVE-2019–0609 — Scripting Engine Memory Corruption Vulnerability
Microsoft Office
CVE-2019–0748 — Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Microsoft SharePoint
CVE-2019–0778 — Microsoft Office SharePoint XSS Vulnerability
.NET Core
CVE-2019–0757 — NuGet Package Manager Tampering Vulnerability (Publicly Disclosed!)
Microsoft Visual Studio
CVE-2019–0809 — Visual Studio Remote Code Execution Vulnerability (Publicly Disclosed!)
Microsoft Active Directory
CVE-2019–0683 — Active Directory Elevation of Privilege Vulnerability (Publicly Disclosed!)
Рекомендации по безопасности
В январе были выпущены следующие рекомендательные документы:
ADV190010 — Best Practices Regarding Sharing of a Single User Account Across Multiple Users
Microsoft strongly recommends customers avoid the use of a «common» or «shared» Windows logon account. A single user account should never be shared amongst different users. This is especially true when users are logging into the same physical machine. Customers who have solutions designed this way are encouraged to engage their solution vendors for assistance in configuring their product to support independent user accounts.
ADV190009 — SHA-2 Code Sign Support Advisory
Microsoft is announcing the release of SHA-2 code sign support for Windows 7 SP1, and Windows Server 2008 R2 SP1.
ADV190008 — March 2019 Adobe Flash Security Update
This security update addresses minor security fixes, which are described in Adobe Security Bulletin APSB19–12.
Были дополнены и обновлены следующие рекомендательные документы:
ADV990001 — Latest Servicing Stack Updates
March 2019 SSU for Windows 7/Server 2008 R2.
Дополнительная информация
Для Вашего удобства предлагаю загрузить сводную таблицу в формате Microsoft Excel, которая содержит всю информацию о данном выпуске бюллетеней безопасности Microsoft с возможностью фильтрации и поиска по всевозможным параметрам.
Вы также можете посмотреть запись нашего ежемесячного вебинара «Брифинг по безопасности», посвященного подробному разбору текущего выпуска обновлений и бюллетеней безопасности компании Microsoft.
Самую полную и актуальную информацию об уязвимостях и обновлениях безопасности вы можете найти на нашем портале Security Update Guide.
Артём Синицын,
руководитель программ информационной безопасности, Microsoft
@ArtyomSinitsyn
Tags: Security, Security Updates, безопасность
