==================================================================== CERT-Renater Note d'Information No. 2019/VULN200 _____________________________________________________________________ DATE : 10/07/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Word, Microsoft Excel, Office 365, Office 365 ProPlus, Microsoft Visual Studio, Windows Server, ChakraCore, Microsoft Office Online Server, Team Foundation Server, Microsoft SharePoint Server, Microsoft SharePoint Enterprise Server, Microsoft SharePoint Foundation, WMicrosoft .NET Framework, .NET Core, ASP.NET Core, Microsoft SQL Server, Azure DevOps Server, Azure Automation, Microsoft Lync, Skype for Business, Microsoft Exchange Server, Microsoft Outlook, Outlook for iOS, Skype 8.35 when installed on Android Devices, Microsoft Dynamics 365 (on-premises), Microsoft Dynamics CRM 2015 (on-premises), Azure IoT Edge, Microsoft Azure Kubernetes Service Microsoft.IdentityModel 7.0.0, Mail and Calendar. ===================================================================== https://portal.msrc.microsoft.com/en-us/security-guidance https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190021 _____________________________________________________________________ ******************************************************************** Microsoft Security Update Summary for July 9, 2019 Issued: July 9, 2019 ******************************************************************** This summary lists security updates released for July 9, 2019. Complete information for the July 2019 security update release Can be found at . Please note the following information regarding the security updates: * A list of the latest servicing stack updates for each operating system can be found in ADV990001: https://portal.msrc.microsoft.com /en-us/security-guidance/advisory/ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. * Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available cvia the Microsoft Update Catalog: https://catalog.update.microsoft.com/v7/site/Home.aspx. * Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release. * Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update: https://go.microsoft.com/fwlink/?LinkId=21130. * For information on lifecycle and support dates for Windows 10 operating systems, please see the Windows Lifecycle Facts Sheet: https://support.microsoft.com/en-us/help/13853/windows- lifecycle-fact-sheet). * In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features. Critical Security Updates ============================ Internet Explorer 11 ChakraCore Microsoft Edge Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1703 for 32-bit Systems Windows 10 Version 1703 for x64-based Systems Windows 10 version 1709 for 32-bit Systems Windows 10 version 1709 for x64-based Systems Windows 10 Version 1709 for ARM64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server, version 1803 (Server Core Installation) Windows Server, version 1903 (Server Core Installation) Windows Server 2019 Windows Server 2019 (Server Core installation) Microsoft Visual Studio 2010 Service Pack 1 Microsoft Visual Studio 2012 Update 5 Microsoft Visual Studio 2013 Update 5 Microsoft Visual Studio 2015 Update 3 Microsoft Visual Studio 2017 Microsoft Visual Studio 2017 version 15.9 Microsoft Visual Studio 2019 version 16.0 Microsoft Visual Studio 2019 version 16.1 Team Foundation Server 2010 SP1 Team Foundation Server 2012 Update 4 Team Foundation Server 2013 Update 5 Team Foundation Server 2015 Update 4.2 Team Foundation Server 2017 Update 3.1 Team Foundation Server 2018 Update 1.2 Team Foundation Server 2018 Update 3.2 ASP.NET Core 2.1 ASP.NET Core 2.2 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5 AND 4.7.2 Microsoft .NET Framework 3.5 AND 4.8 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6/4.6.1/4.6.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.8 Azure Automation Azure DevOps Server 2019.0.1 Mail and Calendar Important Security Updates ============================ Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 for Mac Microsoft Office 2019 for 32-bit editions Microsoft Office 2019 for 64-bit editions Microsoft Office 2019 for Mac Microsoft Outlook 2010 Service Pack 2 (32-bit editions) Microsoft Outlook 2010 Service Pack 2 (64-bit editions) Microsoft Outlook 2013 Service Pack 1 (32-bit editions) Microsoft Outlook 2013 Service Pack 1 (64-bit editions) Microsoft Outlook 2016 (32-bit edition) Microsoft Outlook 2016 (64-bit edition) Microsoft Outlook for Android Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2019 Office 365 ProPlus for 32-bit Systems Office 365 ProPlus for 64-bit Systems Outlook for iOS Mail and Calendar Microsoft Lync 2013 Service Pack 1 (32-bit) Microsoft Lync 2013 Service Pack 1 (64-bit) Microsoft Lync Basic 2013 Service Pack 1 (32-bit) Microsoft Lync Basic 2013 Service Pack 1 (64-bit) Skype for Business 2016 (32-bit) Skype for Business 2016 (64-bit) Skype for Business 2016 Basic (32-bit) Skype for Business 2016 Basic (64-bit) Microsoft Exchange Server 2010 Service Pack 3 Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 12 Microsoft Exchange Server 2016 Cumulative Update 13 Microsoft Exchange Server 2019 Cumulative Update 1 Microsoft Exchange Server 2019 Cumulative Update 2 Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (CU+GDR) Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (GDR) Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (CU+GDR) Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (GDR) Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU+GDR) Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR) Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU+GDR) Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR) Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU+GDR) Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (GDR) Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU+GDR) Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR) Microsoft SQL Server 2017 for x64-based Systems (CU+GDR) Microsoft SQL Server 2017 for x64-based Systems (GDR) Azure IoT Edge Microsoft Azure Kubernetes Service Microsoft.IdentityModel 7.0.0 Moderate Security Updates ========================= Internet Explorer 9 Internet Explorer 10 Defense-in-Depth Updates ======================== Microsoft Exchange Server 2013 Microsoft Exchange Server 2016 Microsoft Exchange Server 2019 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 _________________________________________________________________ ************************************************************************************** Title: Microsoft Security Advisory Notification Issued: July 9, 2019 ************************************************************************************** Security Advisories Released or Updated on July 9, 2019 ====================================================================================== * Microsoft Security Advisory ADV990001 - ADV990001 | Latest Servicing Stack Updates - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 - Reason for Revision: A Servicing Stack Update has been released for all supported versions of Windows 10, Windows 8.1, Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information. - Originally posted: November 13, 2018 - Updated: July 9, 2019 - Version: 11.0 * Microsoft Security Advisory ADV190006 - ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006 - Reason for Revision: On July 9, 2019, Microsoft released security updates for all versions of Microsoft Windows to set the new trust flag to Yes for CVE-2019-0683, the CVE that addresses the issue described in ADV190006. For more information please see https://support.microsoft.com/en-us/help/4490425/ updates-to-tgt-delegation-across-incoming-trusts-in-windows-server. - Originally posted: February 12, 2019 - Updated: July 9, 2019 - Version: 1.4 * Microsoft Security Advisory ADV190021 - ADV190021 | Outlook on the web Cross-Site Scripting Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190021 - Reason for Revision: Information published. - Originally posted: July 9, 2019 - Updated: N/A - Version: 1.0 ====================================================================================== Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ====================================================================================== If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ************************************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ************************************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================