==================================================================== CERT-Renater Note d'Information No. 2020/VULN122 _____________________________________________________________________ DATE : 11/03/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Internet Explorer, Microsoft Windows, Microsoft Edge, ChakraCore, Microsoft Office Web Apps, Microsoft Word, Office 365 ProPlus, Windows Server, Microsoft SharePoint Server, Microsoft Business Productivity Servers, Microsoft Exchange Server, Microsoft Dynamics 365 BC On Premise, Microsoft Dynamics NAV, Microsoft Dynamics 365 Business Central, Azure DevOps Server, Microsoft Visual Studio, Team Foundation Server, Application Inspector, Windows Defender antimalware platform, .NET Framework. ===================================================================== https://portal.msrc.microsoft.com/en-us/security-guidance https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0605 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005 _____________________________________________________________________ ******************************************************************** Microsoft Security Update Summary for March 10, 2020 Issued: March 10, 2020 ******************************************************************** This summary lists security updates released for March 10, 2020. Complete information for the March 2020 security update release Can be found at . Please note the following information regarding the security updates: * A list of the latest servicing stack updates for each operating system can be found in ADV990001: https://portal.msrc.microsoft.com /en-us/security-guidance/advisory/ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. * Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available cvia the Microsoft Update Catalog: https://catalog.update.microsoft.com/v7/site/Home.aspx. * Starting in March 2017, a delta package will be available on the Microsoft Update Catalog for Windows 10 version 1607 and newer. This delta package contains just the delta changes between the previous month and the current release. * Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update: https://go.microsoft.com/fwlink/?LinkId=21130. * For information on lifecycle and support dates for Windows 10 operating systems, please see the Windows Lifecycle Facts Sheet: https://support.microsoft.com/en-us/help/13853/windows- lifecycle-fact-sheet). * In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features. * Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is present only in the IE Cumulative package. * Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See https://support.microsoft.com/en-us/help/4522133/procedure-to- continue-receiving-security-updates for more information. Critical Security Updates ============================ Internet Explorer 11 ChakraCore Microsoft Edge (EdgeHTML-based) Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1709 for 32-bit Systems Windows 10 Version 1709 for ARM64-based Systems Windows 10 Version 1709 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-Based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1803 (Server Core Installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) Microsoft Office 2019 for 32-bit editions Microsoft Office 2019 for 64-bit editions Microsoft Office Online Server Microsoft Office 2016 for Mac Microsoft SharePoint Server 2019 Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise) Dynamics 365 Business Central 2019 Spring Update Microsoft Dynamics 365 BC On Premise Microsoft Dynamics NAV 2013 Microsoft Dynamics NAV 2015 Microsoft Dynamics NAV 2016 Microsoft Dynamics NAV 2017 Microsoft Dynamics NAV 2018 Important Security Updates ============================ Microsoft Business Productivity Servers 2010 Service Pack 2 Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 Click-to-Run (C2R) for 32-bit editions Microsoft Office 2013 Click-to-Run (C2R) for 64-bit editions Microsoft Office 2019 for Mac Microsoft Office Web Apps 2010 Service Pack 2 Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Office 365 ProPlus for 32-bit Systems Office 365 ProPlus for 64-bit Systems Azure DevOps Server 2019 Update 1 Azure DevOps Server 2019 Update 1.1 Azure DevOps Server 2019.0.1 Microsoft Visual Studio 2015 Update 3 Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Microsoft Visual Studio 2019 version 16.0 Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Team Foundation Server 2017 Update 3.1 Team Foundation Server 2018 Update 1.2 Team Foundation Server 2018 Update 3.2 Microsoft Exchange Server 2016 Cumulative Update 14 Microsoft Exchange Server 2016 Cumulative Update 15 Microsoft Exchange Server 2019 Cumulative Update 3 Microsoft Exchange Server 2019 Cumulative Update 4 Application Inspector Windows Defender antimalware platform Moderate Security Updates ========================= Internet Explorer 9 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 _____________________________________________________________________ ************************************************************************************** Title: Microsoft Security Advisory Notification Issued: March 10, 2020 ************************************************************************************** Security Advisories Released or Updated on March 10, 2020 ====================================================================================== * Microsoft Security Advisory ADV190023 - ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 - Reason for Revision: Microsoft is announcing that the March 10, 2020 security updates are available that add options for administrators to harden the configurations for LDAP channel binding on Active Directory domain controllers. These options are: 1. "Domain controller: LDAP server channel binding token requirements" group policy. 2. CBT signing events 3039, 3040, and 3041 with event source Microsoft-Windows-ActiveDirectory_DomainService in the Directory Service event log. Note that these March 10, 2020 updates and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers. - Originally posted: August 13, 2019 - Updated: March 10, 2020 - Version: 2.0 * Microsoft Security Advisory ADV990001 - ADV990001 | Latest Servicing Stack Updates - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 - Reason for Revision: Advisory updated to announce new versions of Servicing Stack Updates are available. Please see the FAQ for details. - Originally posted: November 13, 2018 - Updated: March 10, 2020 - Version: 20.0 ====================================================================================== Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ====================================================================================== If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ************************************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ************************************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 _____________________________________________________________________ ************************************************************************************** Title: Microsoft Security Update Releases Issued: March 10, 2020 ************************************************************************************** Summary ======= The following CVEs have undergone a major revision increment: * CVE-2019-1224 * CVE-2019-1225 * CVE-2019-1226 * CVE-2020-0605 Revision Information: ===================== - CVE-2019-1224 | Remote Desktop Protocol Server Information Disclosure Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224 - Version: 2.0 - Reason for Revision: The following revisions have been made: 1. To comprehensively address this vulnerability, Microsoft has released the March 2020 security updates for all supported editions of Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). 2. Added Windows 10 version 1909 and Windows Server, version 1909 (Server Core installation) because these versions of Windows 10 and Windows Server are also affected by this vulnerability. Microsoft strongly recommends that customers running any of these versions of Windows 10 or Windows Server install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. - Originally posted: August 13, 2019 - Updated: March 10, 2020 - Aggregate CVE Severity Rating: Important - CVE-2019-1225 | Remote Desktop Protocol Server Information Disclosure Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225 - Version: 2.0 - Reason for Revision: The following revisions have been made: 1. To comprehensively address this vulnerability, Microsoft has released the March 2020 security updates for all supported editions of Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). 2. Added Windows 10 version 1909 and Windows Server, version 1909 (Server Core installation) because these versions of Windows 10 and Windows Server are also affected by this vulnerability. Microsoft strongly recommends that customers running any of these versions of Windows 10 or Windows Server install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. - Originally posted: August 13, 2019 - Updated: March 10, 2020 - Aggregate CVE Severity Rating: Important - CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226 - Version: 2.0 - Reason for Revision: The following revisions have been made: 1. To comprehensively address this vulnerability, Microsoft has released the March 2020 security updates for all supported editions of Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). 2. Added Windows 10 version 1909 and Windows Server, version 1909 (Server Core installation) because these versions of Windows 10 and Windows Server are also affected by this vulnerability. Microsoft strongly recommends that customers running any of these versions of Windows 10 or Windows Server install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. - Originally posted: August 13, 2019 - Updated: March 10, 2020 - Aggregate CVE Severity Rating: Critical - CVE-2020-0605 | .NET Framework Remote Code Execution Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0605 - Version: 2.0 - Reason for Revision: Revised the Security Updates table to include PowerShell 7.0 because it addresses this vulnerability in preview versions of PowerShell 7. See https://github.com/PowerShell/Announcements-Internal/issues/19 for more information. - Originally posted: January 14, 2020 - Updated: March 10, 2020 - Aggregate CVE Severity Rating: Critical ************************************************************************************** Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ====================================================================================== If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ************************************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ************************************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 _______________________________________________________________ ************************************************************************************** Title: Microsoft Security Advisory Notification Issued: March 10, 2020 ************************************************************************************** Security Advisories Released or Updated on March 10, 2020 ====================================================================================== * Microsoft Security Advisory ADV200005 - ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005 - Reason for Revision: Information published. - Originally posted: March 10, 2020 - Updated: N/A - Version: 1.0 ====================================================================================== Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ====================================================================================== If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ************************************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ************************************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================