=================================================================== CERT-Renater
Note d'Information No. 2021/VULN069
_____________________________________________________________________
DATE : 09/02/2022
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Azure Data Explorer, Serveur web Kestrel,
Microsoft Dynamics, Microsoft Dynamics GP,
Microsoft Edge (basé sur Chromium),
Microsoft Office, Microsoft Office Excel,
Microsoft Office Outlook,
Microsoft Office SharePoint,
Microsoft Office Visio, Microsoft OneDrive,
Microsoft Teams,
Bibliothèque de codecs Microsoft Windows,
Power BI,
Services Roaming Security RMS (Rights Management Services),
Rôle : Serveur DNS, Rôle : Windows Hyper-V,
SQL Server, Visual Studio Code,
Pilote Windows Common Log File System,
Bibliothèque principale du Gestionnaire de fenêtrage Windows,
Noyau Windows,
Pilotes en mode noyau Windows,
Système de fichiers des canaux nommés de Windows,
Composants du spouleur d’impression Windows,
Gestionnaire des connexions d’accès à distance Windows,
Runtime d’appel de procédure distante Windows,
Profil du compte d’utilisateur Windows,
Windows Win32K.
====================================================================https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2022-Feb
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0887
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34500
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21871
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23254
https://msrc.microsoft.com/update-guide/vulnerability/ADV990001
_____________________________________________________________________
********************************************************************
Microsoft Security Update Summary for February 8, 2022
Issued: February 8, 2022
********************************************************************
This summary lists security updates released for February 8, 2022.
Complete information for the February 2022 security update release
Can be found at .
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a
new, more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. See Coming Soon: New Security Update
Guide Notification System for information about how you can sign up
for and receive these Technical Security Notifications.
Please note the following information regarding the security updates:
* For information regarding enabling Windows 10, version 1909 features,
please see Windows 10, version 1909 delivery options:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-
version-1909-delivery-options/ba-p/1002660. Note that these versions of
Windows 10 share a common core operating system with an identical set
ofsystem files: 1903 and 1909; 2004, 20H2,and 21H1. They will also
share the same security update KBs.
* Windows 10 updates are cumulative. The monthly security release
includes all security fixes for vulnerabilities that affect Windows
10, in addition to non-security updates. The updates are available
via the Microsoft Update Catalog:
https://catalog.update.microsoft.com/v7/site/Home.aspx.
* For information on lifecycle and support dates for Windows 10
operating systems, please see the Windows Lifecycle Facts Sheet:
https://support.microsoft.com/en-us/help/13853/windows-
lifecycle-fact-sheet).
* A list of the latest servicing stack updates for each operating
system can be found in ADV990001: https://msrc.microsoft.com/update-
guide/vulnerability/ADV990001. This list will be
updated whenever a new servicing stack update is released. It is
important to install the latest servicing stack update.
* In addition to security changes for the vulnerabilities, updates
include defense-in-depth updates to help improve security-related
features.
* Customers running Windows 7, Windows Server 2008 R2, or Windows
Server 2008 need to purchase the Extended Security Update to
continue receiving security updates.
See https://support.microsoft.com/en-us/help/4522133/procedure-to-
continue-receiving-security-updates for more information.
* There is a change coming with regards to Servicing Stack Updates.
Please see Simplifying SSUs for more information.
Important Security Updates
==========================Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2022 Azure Edition Core Hotpatch
Windows Server, version 20H2 (Server Core Installation)
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2013 Click-to-Run (C2R) for 32-bit editions
Microsoft Office 2013 Click-to-Run (C2R) for 64-bit editions
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office LTSC 2021 for 32-bit editions
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Office LTSC for Mac 2021
Microsoft Office Online Server
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft Outlook 2016 for Mac
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Microsoft Teams Admin Center
Microsoft Teams for Android
Microsoft Teams for iOS
OneDrive for Android
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 - 16.6)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Visual Studio 2022 version 17.0
Visual Studio 2019 for Mac version 8.10
Visual Studio Code
.NET 5.0
.NET 6.0
Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics GP
PowerBI-client JS SDK
SQL Server 2019 for Linux Containers
HEVC Video Extension
HEVC Video Extensions
VP9 Video Extensions
Azure Data Explorer
Other Information
Recognize and avoid fraudulent email to Microsoft customers:
============================================================If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
_____________________________________________________________________
************************************************************************************
Title: Microsoft Security Update Revisions
Issued: February 8, 2022
************************************************************************************
Summary
=====The following CVEs have undergone revision increments.
==================================================================================* CVE-2019-0887
* CVE-2021-34500
* CVE-2022-21871
* CVE-2022-23254
- CVE-2019-0887 | Remote Desktop Services Remote Code Execution
Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0887
- Version: 3.0
- Reason for Revision: In the Security Updates table, added Remote
Desktop client for Windows Desktop as it is also affected by this
vulnerability. Customers running Remote Desktop client for Windows
Desktop should ensure that they have version 1.2.2691 or higher to
be protected from this vulnerability.
- Originally posted: July 9, 2019
- Updated: February 8, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2021-34500 | Windows Kernel Memory Information Disclosure
Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34500
- Version: 2.0
- Reason for Revision: To comprehensively address CVE-2021-34500,
Microsoft has released Febuary 2022 security updates for the
following supported editions of Microsoft Windows: Windows 10,
Windows 10 Version 1607, Windows 8.1, Windows Server 2012 R2,
Windows Server 2012, Windows 7, Windows Server 2008 R2,
and Windows Server 2008. Microsoft strongly recommends that
customers install the updates to be fully protected from the
vulnerability. Customers whose systems are configured to receive
automatic updates do not need to take any further action.
- Originally posted: July 13, 2021
- Updated: February 8, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-21871 | Microsoft Diagnostics Hub Standard Collector
Runtime Elevation of Privilege Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21871
- Version: 2.0
- Reason for Revision: In the Security Updates table, added the
following versions of Visual Studio as they also affected by
CVE-2022-21871: Microsoft Visual Studio 2019 version 16.9,
Microsoft Visual Studio 2019 version 16.7, Microsoft Visual
Studio 2017 version 15.9, and Microsoft Visual Studio 2015 Update 3.
Microsoft strongly recommends that customers running any
of these versions of Visual Studio install the updates to
be fully protected from the vulnerability. Customers whose
systems are configured to receive automatic updates do not
need to take any further action.
- Originally posted: January 11, 2022
- Updated: February 8, 2022
- Aggregate CVE Severity Rating: Important
- CVE-2022-23254 | Microsoft Power BI Information Disclosure Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23254
- Version: 1.1
- Reason for Revision: Corrected the CVE title and description
to address the vulnerability as Information Disclosure. In the
Affected Products table, corrected the Impact to Information
Disclosure. This is an informational change only.
- Originally posted: February 8, 2022
- Updated: February 8, 2022
- Aggregate CVE Severity Rating: Important
Other Information
===============Recognize and avoid fraudulent email to Microsoft customers:
============================================================If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to
digitally sign all security notifications. However, PGP is
not required for reading security notifications, reading
security bulletins, or installing security updates. You can
obtain the MSRC public PGP key
at .
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving
to a new, more user-friendly and flexible system for delivering
Microsoft Technical Security Notifications. See "Coming Soon: New
Security Update Guide Notification System"
(https://aka.ms/SUGNotificationProfile) for information about how
you can sign up for and receive these Technical Security
Notifications.
Microsoft respects your privacy. Please read our online Privacy
Statement at .
These settings will not affect any newsletters you’ve requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
We would love to get your feedback on your experience with these
security notifications. Please help us improve your security
notifications experience by filling out the form here:
https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4ekF0eHYitGhfGrzmE_ydpUQUdMQUkzMFQwQzdYSjFBOTlXTjZWMDRRTi4u
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
https://account.microsoft.com/profile/unsubscribe?CTID=0&ECID=9x28X7FTYRf2pffFrRKtJS8CpylKGJdtyWb%2BJpZ1TN4%3D&K=6c2da11d-f94e-47fd-9160-4b3ddf0a0c99&CMID=null&D=637799373766461899&PID=18015&TID=adfd46f4-992a-45ec-935c-4c9bc4baf506
_____________________________________________________________________
**************************************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 8, 2022
**************************************************************************************
Security Advisories Released or Updated on February 8, 2022
====================================================================================* ADV990001
- ADV990001 | Latest Servicing Stack Updates
- https://msrc.microsoft.com/update-guide/vulnerability/ADV990001
- Reason for Revision: Advisory updated to announce new
versions of Servicing Stack Updates are available. Please
see the FAQ for details.
- Originally posted: November 13, 2018
- Updated: February 8, 2022
- Version: 43.0
====================================================================================Other Information
===============Recognize and avoid fraudulent email to Microsoft customers:
=====================================================================================If you receive an email message that claims to be distributing a
Microsoft security update, it is a hoax that may contain malware
or pointers to malicious websites.
Microsoft does not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC
public PGP key at .
**************************************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.
**************************************************************************************
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. Upcoming information about how
you can sign up for and receive these Technical Security Notifications
will be coming soon.
Microsoft respects your privacy. Please read our online Privacy Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of companies
please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or any
mandatory service communications that are considered part of certain
Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
========================================================+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=======================================================