Компания Microsoft выпустила обновления безопасности для следующих продуктов: Windows, Windows Server, Microsoft Edge, Internet Explorer, Office, SharePoint, Exchange Server, Visual Studio, Team Foundation Server, .NET Framework, .NET Core, ChakraCore и Java SDK for Azure IoT.
Сводная информация по количеству и типу уязвимостей в соответствующих продуктах приведена на графике ниже:
Информация об уровне критичности, потенциальном ущербе и соответствующих обновлениях, закрывающих данные уязвимости, представлена в таблице ниже:
Product Family | Maximum Severity | Maximum Impact | Associated KB Articles and/or Support Webpages |
Windows 10 v1809, v1803, v1709, v1703, v1607, Windows 10 for 32-bit Systems, and Windows 10 for x64-based Systems (not including Edge) | Critical | Remote Code Execution | Windows 10 v1809 Security Update: 4487044;
Windows 10 v1803 Security Update: 4487017; Windows 10 v1709 Security Update: 4486996; Windows 10 v1703 Security Update: 4487020; Windows 10 v1607 Security Update: 4487026; Windows 10 Security Update: 4487018; |
Windows Server 2019, Windows Server 2016, and Server Core installations (2019, 2016, v1803, and v1709) | Critical | Remote Code Execution | Windows Server 2019 Security Update: 4487044;
Windows Server 2016 Security Update: 4487026; Windows Server, version 1803 Security Update: 4487017; Windows Server, version 1709 Security Update: 4486996; |
Windows 8.1 , Windows Server 2012 R2, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008 | Critical | Remote Code Execution | Windows 8.1 and Windows Server 2012 R2 and Windows RT 8.1 Monthly Rollup: 4487000; Windows 8.1 and Windows Server 2012 R2 Security Only: 4487028;
Windows Server 2012 Security Only: 4486993; Windows Server 2012 Monthly Rollup: 4487025; Windows 7 and Windows Server 2008 R2 Monthly Rollup: 4486563; Windows 7 and Windows Server 2008 R2 Security Only: 4486564; Windows Server 2008 Security Only: 4487019; Windows Server 2008 Monthly Rollup: 4487023; |
Microsoft Edge | Critical | Remote Code Execution | Microsoft Edge on Windows 10 v1809 and Microsoft Edge on Windows Server 2019 Security Update: 4487044;
Microsoft Edge on Windows 10 v1803 Security Update: 4487017; Microsoft Edge on Windows 10 v1709 Security Update: 4486996; Microsoft Edge on Windows 10 v1703 Security Update: 4487020; Microsoft Edge on Windows Server 2016 and Microsoft Edge on Windows 10 v1607 Security Update: 4487026; Microsoft Edge on Windows 10 Security Update: 4487018; |
Internet Explorer | Critical | Remote Code Execution | Internet Explorer 11 on Windows 10 v1809 and Internet Explorer 11 on Windows Server 2019 Security Update: 4487044;
Internet Explorer 11 on Windows 10 v1803 Security Update: 4487017; Internet Explorer 11 on Windows 10 v1709 Security Update: 4486996; Internet Explorer 11 on Windows 10 v1703 Security Update: 4487020; Internet Explorer 11 on Windows Server 2016 and Internet Explorer 11 on Windows 10 v1607 Security Update: 4487026; Internet Explorer 11 on Windows 10 Security Update: 4487018; Internet Explorer 11 on Windows 7 and Internet Explorer 11 on Windows Server 2008 R2 and Internet Explorer 11 on Windows 8.1 and Internet Explorer 11 on Windows Server 2012 R2 and Internet Explorer 10 on Windows Server 2012 IE Cumulative: 4486474; Internet Explorer 10 on Windows Server 2012 Monthly Rollup: 4487025; Internet Explorer 11 on Windows 7 and Internet Explorer 11 on Windows Server 2008 R2 Monthly Rollup: 4486563; |
Microsoft Office-related software | Important | Remote Code Execution | The number of KB articles associated with Microsoft Office-related software for each monthly security update release varies depending on the number of CVEs and the number of affected components. This month there are more than 20 KB Articles related to Microsoft Office-related software updates – too many to list here for the purposes of a summary. Review the content in the Security Update Guide for article details. |
Microsoft SharePoint-related software | Critical | Remote Code Execution | Microsoft SharePoint Server 2019 : 4462171 Microsoft SharePoint Enterprise Server 2016 : 4462155 Microsoft SharePoint Enterprise Server 2013 : 4462139 Microsoft SharePoint Foundation 2013 : 4462143 Microsoft SharePoint Server 2010 : 4461630 |
.NET Framework | Important | Remote Code Execution | The number of KB articles associated with .NET Framework for each monthly security update release varies depending on the number of CVEs and the number of affected components. This month there are more than 20 KB Articles related to .NET Framework updates – too many to list here for the purposes of a summary. Review the content in the Security Update Guide for article details. |
Visual Studio | Important | Remote Code Execution | https://code.visualstudio.com/Download |
Microsoft Exchange Server | Important | Elevation of Privilege | Microsoft Exchange Server 2019: 4471391
Microsoft Exchange Server 2016: 4471392 |
Adobe Flash Player | Critical | Remote Code Execution | Adobe Flash Security Update: 4487038 Adobe Flash Player Advisory: ADV190003 |
Team Foundation Server | Important | Spoofing | https://aka.ms/tfs2018.3.2patch |
Java SDK for Azure IoT | Important | Elevation of Privilege | https://github.com/Azure/azure-iot-sdk-java/releases |
ChakraCore | Critical | Remote Code Execution | ChakraCore is the core part of Chakra, the high-performance JavaScript engine that powers Microsoft Edge and Windows applications written in HTML/CSS/JS. More information is available at https://github.com/Microsoft/ChakraCore/wiki. |
Обратите внимание
На следующие уязвимости и обновления безопасности следует обратить особое внимание:
Windows/Windows Server
CVE-2019-0626 – Windows DHCP Client Remote Code Execution Vulnerability
CVE-2019-0625 – Jet Database Engine Remote Code Execution Vulnerability
CVE-2019-0662 – GDI+ Remote Code Execution Vulnerability
CVE-2019-0630 – Windows SMB Remote Code Execution Vulnerability
CVE-2019-0636 – Windows Information Disclosure Vulnerability
Microsoft Edge/Internet Explorer
CVE-2019-0606 – Internet Explorer Memory Corruption Vulnerability
CVE-2019-0607 – Scripting Engine Memory Corruption Vulnerability
Microsoft Office
CVE-2019-0671 – Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVE-2019-0594 – Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Exchange
ADV190007 – Guidance for PrivExchange Elevation of Privilege Vulnerability
CVE-2019-0686 – Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2019-0724 – Microsoft Exchange Server Elevation of Privilege Vulnerability
KB4490059 – Reducing permissions required to run Exchange Server by using Shared Permissions Model
Рекомендации по безопасности
В январе были выпущены следующие рекомендательные документы:
ADV190003 – February 2019 Adobe Flash Security Update
ADV190004 – February 2019 Oracle Outside In Library Security Update
ADV190006 – Guidance to mitigate unconstrained delegation vulnerabilities
ADV190007 – Guidance for PrivExchange Elevation of Privilege Vulnerability
Были дополнены и обновлены следующие рекомендательные документы:
ADV990001 – Latest Servicing Stack Updates
Дополнительная информация
Для вашего удобства предлагаю загрузить сводную таблицу в формате Microsoft Excel, которая содержит всю информацию о данном выпуске бюллетеней безопасности Microsoft с возможностью фильтрации и поиска по всевозможным параметрам.
Вы также можете посмотреть запись нашего ежемесячного вебинара «Брифинг по безопасности», посвященного подробному разбору текущего выпуска обновлений и бюллетеней безопасности компании Microsoft.
Самую полную и актуальную информацию об уязвимостях и обновлениях безопасности вы можете найти на нашем портале Security Update Guide.
Артём Синицын,
руководитель программ информационной безопасности, Microsoft