==================================================================== CERT-Renater Note d'Information No. 2018/VULN381 _____________________________________________________________________ DATE : 14/11/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Excel, Microsoft Word, Microsoft Office Web Apps, Office 365 ProPlus, Microsoft Office Word Viewer, Windows Server, Microsoft Project, Microsoft Project Server, ChakraCore, .NET Core, Microsoft Dynamics 365 (on-premises), PowerShell Core, Microsoft SharePoint Server, Microsoft SharePoint Enterprise Server, Microsoft Exchange Server, Microsoft Excel, Microsoft Excel Viewer, Azure App Service on Azure Stack, Microsoft Office Compatibility Pack, Microsoft Lync, Skype for Business, Team Foundation Server. ===================================================================== https://portal.msrc.microsoft.com/en-us/security-guidance _____________________________________________________________________ ******************************************************************** Microsoft Security Update Summary for November 13, 2018 Issued: November 13, 2018 ******************************************************************** This summary lists security updates released for November 13, 2018. Complete information for the November 2018 security update release Can be found at . Please note the following information regarding the security updates: * A list of the latest servicing stack updates for each operating system can be found in [ADV990001](https://portal.msrc.microsoft.com /en-us/security-guidance/advisory/ADV180026). This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. * Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available cvia the [Microsoft Update Catalog](http://catalog.update.microsoft.com/v7/site/Home.aspx). * Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release. * Updates for Windows RT 8.1 and Microsoft Office RT software are only available via [Windows Update](http://go.microsoft.com/fwlink/?LinkId=21130). * For information on lifecycle and support dates for Windows 10 operating systems, please see [Windows Lifecycle Facts Sheet](https://support.microsoft.com/en-us/help/13853/windows- lifecycle-fact-sheet). * In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features. Critical Security Updates ============================ ChakraCore Microsoft Edge Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 10 version 1709 for 32-bit Systems Windows 10 version 1709 for x64-based Systems Windows 10 Version 1709 for ARM64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for ARM64-based Systems Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server, version 1709 (Server Core Installation) Windows Server, version 1803 (Server Core Installation) Windows Server 2019 Windows Server 2019 (Server Core installation) Microsoft Dynamics 365 (on-premises) version 8 Important Security Updates ============================ Internet Explorer 11 PowerShell Core 6.0 PowerShell Core 6.1 Azure App Service on Azure Stack Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 for Mac Microsoft Office 2019 for Mac Microsoft Office 2019 for 32-bit editions Microsoft Office 2019 for 64-bit editions Office 365 ProPlus for 32-bit Systems Office 365 ProPlus for 64-bit Systems Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Excel Viewer 2007 Service Pack 3 Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps Server 2013 Service Pack 1 Microsoft Outlook 2010 Service Pack 2 (32-bit editions) Microsoft Outlook 2010 Service Pack 2 (64-bit editions) Microsoft Outlook 2013 RT Service Pack 1 Microsoft Outlook 2013 Service Pack 1 (32-bit editions) Microsoft Outlook 2013 Service Pack 1 (64-bit editions) Microsoft Outlook 2016 (32-bit edition) Microsoft Outlook 2016 (64-bit edition) Microsoft Project 2010 Service Pack 2 (32-bit editions) Microsoft Project 2010 Service Pack 2 (64-bit editions) Microsoft Project 2016 (32-bit edition) Microsoft Project 2016 (64-bit edition) Microsoft Project Server 2013 Service Pack 1 (32-bit edition) Microsoft Project Server 2013 Service Pack 1 (64-bit edition) Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Server 2019 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Microsoft Exchange Server 2010 Microsoft Exchange Server 2013 Microsoft Exchange Server 2016 Microsoft Exchange Server 2019 Team Foundation Server 2017 Update 3.1 Team Foundation Server 2018 Update 1.1 Team Foundation Server 2018 Update 3 Team Foundation Server 2018 Update 3.1 Moderate Security Updates ============================ .NET Core 2.1 Low Security Updates ============================ Internet Explorer 9 Internet Explorer 10 Microsoft Lync 2013 Service Pack 1 (32-bit) Microsoft Lync 2013 Service Pack 1 (64-bit) Microsoft Lync Basic 2013 Service Pack 1 (32-bit) Microsoft Lync Basic 2013 Service Pack 1 (64-bit) Skype for Business 2016 (32-bit) Skype for Business 2016 (64-bit) Skype for Business 2016 Basic (32-bit) Skype for Business 2016 Basic (64-bit) Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ________________________________________________________________ ******************************************************************** Title: Microsoft Security Advisory Notification Issued: November 13, 2018 ******************************************************************** Security Advisories Released or Updated on November 13, 2018 =================================================================== * Microsoft Security Advisory ADV990001 - Title: Latest Servicing Stack Updates - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV990001 - Reason for Revision: Information published - Originally posted: November 13, 2018 - Updated: N/A - Version: 1.0 * Microsoft Security Advisory ADV180002 - Title: Guidance to mitigate speculative execution side-channel vulnerabilities - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180002 - Reason for Revision: The following updates have been made: 1. Added information to FAQ #9 for customers running Windows Server 2019. 2. Updated FAQ #18 to announce that with the Windows security updates released on November 13, 2018, Microsoft is providing the solution for customers with AMD-based devices who experienced high CPU utilization after installing the June or July security updates and updated microcode from AMD. Microsoft recommends that these customers install the November Windows security updates and re-enable the Spectre Variant 2 mitigations if they were previously disabled. This solution is available in the November Windows security updates for: Windows Server 2008, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. 3. Added FAQ #20 to address the mitigations for ARM CPUs for CVE 2017-5715, Branch Target Injection. - Originally posted: January 3, 2018 - Updated: November 13, 2018 - Version: 26.0 * Microsoft Security Advisory ADV180012 - Title: Microsoft Guidance for Speculative Store Bypass - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180012 - Reason for Revision: The following updates have been made to this advisory: 1. Microsoft is announcing that the security updates released on November 13, 2018 for all supported versions of Windows 10, and for Windows Server 2016; Windows Server, version 1709; Windows Server, version 1803; and Windows Server 2019 provide protections against the Speculative Store Bypass vulnerability (CVE-2018-3639) for AMD-based computers. These protections are not enabled by default. For Windows client (IT pro) guidance, follow the instructions in KB4073119. 2. Microsoft is announcing the availability of updates for Surface Studio and Surface Book that address the Speculative Store Bypass (SSB) (CVE-2018-3639) vulnerability. See the Affected Products table for links to download and install the updates. See Microsoft Knowledge Base article 4073065 for more information. 3. In the Security Updates table, the Article and Download links have been corrected for affected Surface devices. 4. Windows 10 version 1809 and Windows Server 2019 have been added to the Security Updates table because they are affected by the SSB vulnerability. 5. The Recommended Actions and FAQ sections have been updated to include information for devices using AMD processors. - Originally posted: May 21, 2018 - Updated: November 13, 2018 - Version: 6.0 * Microsoft Security Advisory ADV180013 - Title: Microsoft Guidance for Rogue System Register Read - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180013 - Reason for Revision: The following updates have been made to this advisory: 1. Microsoft is announcing the availability of updates for Surface Book that address the Rogue System Registry Read (CVE-2018-3640) vulnerability. See the Affected Products table for links to download and install the updates. See Microsoft Knowledge Base article 4073065 for more information. 2. In the Security Updates table, the Article and Download links have been corrected. - Originally posted: May 21, 2018 - Updated: November 13, 2018 - Version: 5.0 * Microsoft Security Advisory ADV180018 - Title: Microsoft guidance to mitigate L1TF variant - https://portal.msrc.microsoft.com/en-us/security-guidance/ advisory/ADV180018 - Reason for Revision: The following updates have been made: 1. Updated the "Microsoft Windows client customers" section to provide clarification about how the protections for CVE-2018-5754 and CVE-2018-3620 are related. Customers that have disabled the protection for CVE-2017-5754 must re-enable it to gain protection for CVE-2018-3620 (See FAQ#2). 2. Updated the "Microsoft Window Server customers" section to include information for customers running Windows Server 2019. Added further clarification to address VBS, Hyper-V, and Hyper-Threading configurations based on the version of Windows Server. 3. In FAQ 3, added Windows 10 Version 1809 to the list of Windows versions in which VBS is supported. - Originally posted: August 14, 2018 - Updated: November 13, 2018 - Version: 5.0 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================