==================================================================== CERT-Renater Note d'Information No. 2020/VULN571 _____________________________________________________________________ DATE : 14/10/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Windows, .NET Framework, .NET Core, Microsoft Office, Microsoft Office Web Apps, Microsoft 365 Apps for Enterprise, Microsoft Excel, Microsoft Excel Web App, Microsoft Word, Microsoft Office Online Server, Microsoft Outlook, Microsoft SharePoint Enterprise Server, Microsoft SharePoint Foundation, Microsoft SharePoint Server, Microsoft Exchange Server, 3D Viewer, Visual Studio Code, Microsoft Visual Studio, Dynamics 365 Commerce, Microsoft Dynamics 365 (on-premises), Adobe Flash Player, PowerShellGet 2.2.5s, Microsoft Remote Desktop. ===================================================================== https://portal.msrc.microsoft.com/en-us/security-guidance https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200012 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1147 _____________________________________________________________________ ******************************************************************** Microsoft Security Update Summary for October 13, 2020 Issued: October 13, 2020 ******************************************************************** This summary lists security updates released for October 13, 2020. Complete information for the October 2020 security update release Can be found at . Please note the following information regarding the security updates: * For information regarding enabling Windows 10, version 1909 features, please see Windows 10, version 1909 delivery options: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1909-delivery-options/ba-p/1002660. Note that Windows 10, versions 1903 and 1909 share a common core operating system with an identical set of system files. They will also share the same security update KBs. * Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog: https://catalog.update.microsoft.com/v7/site/Home.aspx. * For information on lifecycle and support dates for Windows 10 operating systems, please see the Windows Lifecycle Facts Sheet: https://support.microsoft.com/en-us/help/13853/windows- lifecycle-fact-sheet). * A list of the latest servicing stack updates for each operating system can be found in ADV990001: https://portal.msrc.microsoft.com /en-us/security-guidance/advisory/ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. * Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update: https://go.microsoft.com/fwlink/?LinkId=21130. * In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features. * Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See https://support.microsoft.com/en-us/help/4522133/procedure-to-continue-receiving-security-updates for more information. * There is a change coming with regards to Servicing Stack Updates. Please see Simplifying SSUs for more information. Critical Security Updates ============================ Windows 10 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1709 for 32-bit Systems Windows 10 Version 1709 for ARM64-based Systems Windows 10 Version 1709 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for x64-based Systems Windows 8.1 for 32-bit systems Windows 8.1 for x64-based systems Windows RT 8.1 Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server, version 2004 (Server Core installation) Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Excel Web App 2010 Service Pack 2 Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 Click-to-Run (C2R) for 32-bit editions Microsoft Office 2013 Click-to-Run (C2R) for 64-bit editions Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 for Mac Microsoft Office 2019 for 32-bit editions Microsoft Office 2019 for 64-bit editions Microsoft Office 2019 for Mac Microsoft Office Online Server Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps 2013 Service Pack 1 Microsoft Outlook 2010 Service Pack 2 (32-bit editions) Microsoft Outlook 2010 Service Pack 2 (64-bit editions) Microsoft Outlook 2013 RT Service Pack 1 Microsoft Outlook 2013 Service Pack 1 (32-bit editions) Microsoft Outlook 2013 Service Pack 1 (64-bit editions) Microsoft Outlook 2016 (32-bit edition) Microsoft Outlook 2016 (64-bit edition) Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2019 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Adobe Flash Player PowerShellGet 2.2.5 Important Security Updates ============================ Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 3.5 AND 4.6/4.6.1/4.6.2 Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2 Microsoft .NET Framework 3.5 AND 4.7.2 Microsoft .NET Framework 3.5 AND 4.8 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.8 Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 17 Microsoft Exchange Server 2016 Cumulative Update 18 Microsoft Exchange Server 2019 Cumulative Update 6 Microsoft Exchange Server 2019 Cumulative Update 7 Dynamics 365 Commerce Microsoft Dynamics 365 (on-premises) version 8.2 Microsoft Dynamics 365 (on-premises) version 9.0 Visual Studio Code 3D Viewer Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security information, or installing security updates. You can obtain the MSRC public PGP key at . ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 _____________________________________________________________________ ************************************************************************************** Title: Microsoft Security Advisory Notification Issued: October 13, 2020 ************************************************************************************** Security Advisories Released or Updated on October 13, 2020 ====================================================================================== * ADV200012 - ADV200012 | October 2020 Adobe Flash Security Update - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200012 - Reason for Revision: Information published. - Originally posted: October 13, 2020 - Updated: N/A - Version: 1.0 * ADV990001 - ADV990001 | Latest Servicing Stack Updates - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 - Reason for Revision: Advisory updated to announce new versions of Servicing Stack Updates are available. Please see the FAQ for details. - Originally posted: November 13, 2019 - Updated: October 13, 2020 - Version: 27.0 ====================================================================================== Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ====================================================================================== If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ************************************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ************************************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 _____________________________________________________________________ ************************************************************************************** Title: Microsoft Security Update Releases Issued: October 13, 2020 ************************************************************************************** Summary ======= The following CVEs have undergone a major revision increment: * CVE-2019-1181 * CVE-2019-1182 * CVE-2020-1147 Revision Information: ===================== * CVE-2019-1181 - CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181 - Version 2.0 - Reason for Revision: Revised the Security Updates table to add Microsoft Remote Desktop for Android, Microsoft Remote Desktop for Mac, and Microsoft Remote Desktop for Mac IoS because these apps are affected by this vulnerability. Microsoft recommends that customers running any of these apps install the latest security update to be fully protected from this vulnerability. Please see the FAQ section for information on how to get these updates. - Originally posted: August 13, 2020 - Updated: October 13, 2020 - Aggregate CVE Severity Rating: Critical * CVE-2019-1182 - CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182 - Version 2.0 - Reason for Revision: Revised the Security Updates table to add Microsoft Remote Desktop for Android, Microsoft Remote Desktop for Mac, and Microsoft Remote Desktop for Mac IoS because these apps are affected by this vulnerability. Microsoft recommends that customers running any of these apps install the latest security update to be fully protected from this vulnerability. Please see the FAQ section for information on how to get these updates. - Originally posted: August 13, 2020 - Updated: October 13, 2020 - Aggregate CVE Severity Rating: Critical * CVE-2020-1147 - CVE-2020-1147 | .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1147 - Version 2.0 - Reason for Revision: To comprehensively address CVE-2020-1147, Microsoft has released the following: October Security Updates for all affected versions of .NET Framework installed on Windows 10; October 2020 Monthly Rollup updates AND updated versions of the Security Only updates released in July 2020 for all affected versions of .NET Framework installed on Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers who install the Security Only updates should ensure that they re-install the updates after October 13. Customers whose systems are configured to receive automatic updates do not need to take any further action. - Originally posted: July 14, 2020 - Updated: October 13, 2020 - Aggregate CVE Severity Rating: Critical ************************************************************************************** Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ====================================================================================== If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at . ************************************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ************************************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at . If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: . These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: . This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================