In this library you will find the following security documents that have been released by the Microsoft Security Response Center (MSRC). The MSRC investigates all reports of security vulnerabilities affecting Microsoft products and services, and releases these documents as part of the ongoing effort to help you manage security risks and help keep your systems protected.
- Microsoft patches two Windows zero-days in July Patch Tuesday Microsoft fixed two Windows zero-day flaws as part of the July 2019 Patch Tuesday release, which also saw the remediation of 75 other vulnerabilities across Microsoft products.
- We have released the September security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder, Windows 7 and Windows Server 2008 R2 will be out of.
- Microsoft Patch Tuesday updates for September 2019 address 80 flaws, including two privilege escalation issues exploited in attacks. Microsoft Patch Tuesday security updates for September 2019 address 80 vulnerabilities, including two privilege escalation flaws that have been exploited in attacks in the wild.
PRODUCT DISCLOSURE $
Patch Tuesday is the name given to the day each month that Microsoft releases security and other patches for their operating systems and other software.
Patch Tuesday is always the second Tuesday of each month and more recently is being referred to as Update Tuesday.
Non-security updates to Microsoft Office tend to occur on the first Tuesday of each month and firmware updates for Microsoft's Surface devices on the third Tuesday of every month.
Most Windows users will experience more of a Patch Wednesday because they're prompted to install, or notice the installation of, the updates downloaded via Windows Update on Tuesday night or Wednesday morning.
Some half-jokingly refer to the day after Patch Tuesday as Crash Wednesday, referring to the troubles that sometimes accompany a computer after the patches are installed (honestly, this rarely happens).
Latest Patch Tuesday: April 9, 2019
The latest Patch Tuesday was on April 9, 2019 and consisted of 34 individual security updates, correcting 75 unique issues across Microsoft Windows operating systems and some other Microsoft software.
The next Patch Tuesday will be on May 14, 2019.
If you're currently using Windows 8.1 but have not yet applied the Windows 8.1 Update package or updated to Windows 10, you must do so to continue to receive these important security patches! See our Windows 8.1 Update piece for more on what this is and how to upgrade or How to Download Windows 10 for more on that upgrade.
What Do These Patch Tuesday Updates Do?
These patches from Microsoft update several individual files involved in making Windows and other Microsoft software work.
These files were determined by Microsoft to have security issues, meaning that they have 'bugs' that could provide a means to do something malicious to your computer without your knowledge.
How Do I Know If I Need These Security Updates?
You need these updates if you're running any supported edition of Microsoft's operating systems, 32-bit or 64-bit. This includes Windows 10, Windows 8 (as well as Windows 8.1), and Windows 7, plus supported Server versions of Windows.
A number of other products are receiving patches this month too. You can see the full list on Microsoft's Security Update Guide page, along with the associated KB articles and security vulnerability details. Just set the date filter from 4/9/2019 to 4/9/2019 to avoid showing previous months' updates.
Here's a summary list:
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office Services and Web Apps
- ChakraCore
- ASP.NET
- Microsoft Exchange Server
- Team Foundation Server
- Azure DevOps Server
- Open Enclave SDK
- Windows Admin Center
Some updates correct issues so serious that, in certain situations, remote access to your computer may be possible without your permission. These issues are classified as critical, while most others are less serious and classified as important, moderate, or low.
See Microsoft Security Bulletin Severity Rating System for more on these classifications and the April 2019 Security Updates Release Notes for Microsoft's very brief summary on this collection of security updates.
Windows XP and Windows Vista are no longer supported by Microsoft and so no longer receive security patches. Windows Vista support ended on April 11, 2017 and Windows XP support ended on April 8, 2014.
In case you're curious: Windows 7 support ends on January 14, 2020 and Windows 8 support ends on January 10, 2023. Windows 10 support is slated to end on October 14, 2025, but expect that to be extended as future iterations of Windows 10 are released.
Are There Any Non-Security Updates This Patch Tuesday?
Yes, a number of non-security updates are being made available for all supported versions of Windows including, as usual, this month's update to the Windows Malicious Software Removal Tool.
Microsoft's Surface tablets also usually get driver and/or firmware updates on Patch Tuesday. You can get all the details on these updates from Microsoft's Surface Update History page. Individual update histories are available for of Microsoft's Surface devices.
There may also be non-security updates included this month for Microsoft software other than Windows. See the non-security update information in the section below for details.
Download Patch Tuesday Updates
In most situations, the best way to download patches on Patch Tuesday is via Windows Update. Only the updates you need will be listed and, unless you've configured Windows Update otherwise, will be downloaded and installed automatically.
See How Do I Install Windows Updates? if you're new to this or need some help.
You can usually find links to any non-security Microsoft Office updates on the Microsoft Office Updates blog.
Updates are typically not available to consumers for individual installation. When they are, or if you're a business or enterprise user, please know that most of these downloads come in a choice of 32-bit or 64-bit versions. See Do I Have 32-bit or 64-bit Windows? if you're not sure which downloads to choose.
Patch Tuesday Problems
While updates from Microsoft rarely result in widespread problems with Windows itself, they do frequently cause specific issues with software or drivers provided by other companies.
If you haven't yet installed these patches, please see How to Prevent Windows Updates From Crashing Your PC for a number of preventative measures you should take before applying these updates, including disabling fully automatic updates.
If you're having problems after Patch Tuesday, or during or after installing any Windows update:
- See How to Recover From a Frozen Windows Update Installation for help if your computer freezes during the installation of an update.
- See How to Fix Problems Caused by Windows Updates for help undoing the damage if the updates already installed but you're now experiencing a problem.
See Windows Updates & Patch Tuesday FAQ for answers to other common questions, including 'Does Microsoft test these updates before they push them out?' and 'Why hasn't Microsoft fixed the problem that their update caused on my computer?!'
Patch Tuesday & Windows 10
Microsoft has publicly commented that beginning with Windows 10, they will no longer be pushing updates solely on Patch Tuesday, instead pushing them more frequently, essentially ending the idea of Patch Tuesday altogether.
While this change goes for both security updates and non-security updates, and Microsoft is clearly updating Windows 10 outside of Patch Tuesday, so far they still seem to be pushing a majority of the updates to their latest operating system on Patch Tuesday.
See also
On the second Tuesday of the month -- as clockwork -- Microsoft released its monthly rollup of security updates known as Patch Tuesday.
This month, Microsoft patched 93 security flaws and published two security advisories with mitigations for two security-related issues impacting the company's products & services.
Unlike in previous months, none of the vulnerabilities that have been patched today were under attack, or had their details publicly disclosed online.
The RDS RCEs
But while security researchers say that all security bugs are important, the 'stars' of this month's Patch Tuesday are the four remote code execution bugs Microsoft fixed in the Windows Remote Desktop Services (RDS) component -- CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.
Of the four, the first two are the biggest threats.
In a blog post, Simon Pope, Director of Incident Response for the Microsoft Security Response Center (MSRC), said the two bugs are 'wormable,' akin to the now-infamous BlueKeep (CVE-2019-0708) bug that Microsoft patched in RDS in May.
This means attackers can exploit the bugs to take over a computer and then spread to other computers without any user interaction.
Patching CVE-2019-1181 and CVE-2019-1182 is of the utmost urgency, and for good reasons.
Other patched vulnerabilities
Microsoft Tuesday Patch June 2019
But the four remote code execution (RCE) bugs in the RDS component are not the only RCEs patched this month.
There are also seven RCEs impacting the Chakra scripting engine (included in Microsoft Edge and other Microsoft apps), two RCEs in Microsoft Hyper-V virtual machine hypervisor technology, six RCEs in the Microsoft Graphics component, one in Outlook, two in Word, two in the Windows DHCP client, two in the older Scripting Engine component, and one in the VBScript engine.
And there is also a patch for a bug in the shadowy CTF protocol that impacts all Windows versions since Windows XP.
All in all, the August 2019 Patch Tuesday is both bulky and critical. Of the 93 vulnerabilities Microsoft patched today, 29 are rated Critical and 64 are rated Important in severity.
Furthermore, with this ocassion, Microsoft also wanted to remind users that Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020.
'We strongly recommend that you update any computers running Windows 7 or Windows Server 2008 R2 so you will continue receiving security updates,' the company said.]
Other non-Microsoft security updates
Since the Microsoft Patch Tuesday is also the day when other vendors also release security patches, it's also worth mentioning that Adobe, SAP, and VMWare have also published their respective security updates earlier today.
Of the three, Adobe's security updates are the largest, with fixes for Photoshop, Experience Manager, Acrobat/Reader, the Creative Cloud desktop app, Prelude, Premiere Pro, Character Animator, and After Effects. Of note, there are no Flash security updates this month.
More in-depth information on today's Patch Tuesday updates is available on Microsoft's official Security Update Guide portal. You can also consult the table embedded below, this Patch Tuesday report generated by ZDNet, or these ones, put together by Trend Micro and the SANS Internet Storm Center.
Tag | CVE ID | CVE Title |
---|---|---|
Online Services | ADV190014 | Microsoft Live Accounts Elevation of Privilege Vulnerability |
Active Directory | ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing |
HTTP/2 | CVE-2019-9513 | HTTP/2 Server Denial of Service Vulnerability |
HTTP/2 | CVE-2019-9512 | HTTP/2 Server Denial of Service Vulnerability |
HTTP/2 | CVE-2019-9511 | HTTP/2 Server Denial of Service Vulnerability |
HTTP/2 | CVE-2019-9518 | HTTP/2 Server Denial of Service Vulnerability |
HTTP/2 | CVE-2019-9514 | HTTP/2 Server Denial of Service Vulnerability |
Microsoft Bluetooth Driver | CVE-2019-9506 | Encryption Key Negotiation of Bluetooth Vulnerability |
Microsoft Browsers | CVE-2019-1193 | Microsoft Browser Memory Corruption Vulnerability |
Microsoft Browsers | CVE-2019-1192 | Microsoft Browsers Security Feature Bypass Vulnerability |
Microsoft Dynamics | CVE-2019-1229 | Dynamics On-Premise Elevation of Privilege Vulnerability |
Microsoft Edge | CVE-2019-1030 | Microsoft Edge Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1154 | Windows Graphics Component Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1143 | Windows Graphics Component Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1144 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2019-1152 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2019-1078 | Microsoft Graphics Component Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1158 | Windows Graphics Component Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1150 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2019-1151 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2019-1153 | Microsoft Graphics Component Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1145 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft Graphics Component | CVE-2019-1148 | Microsoft Graphics Component Information Disclosure Vulnerability |
Microsoft Graphics Component | CVE-2019-1149 | Microsoft Graphics Remote Code Execution Vulnerability |
Microsoft JET Database Engine | CVE-2019-1155 | Jet Database Engine Remote Code Execution Vulnerability |
Microsoft JET Database Engine | CVE-2019-1146 | Jet Database Engine Remote Code Execution Vulnerability |
Microsoft JET Database Engine | CVE-2019-1147 | Jet Database Engine Remote Code Execution Vulnerability |
Microsoft JET Database Engine | CVE-2019-1156 | Jet Database Engine Remote Code Execution Vulnerability |
Microsoft JET Database Engine | CVE-2019-1157 | Jet Database Engine Remote Code Execution Vulnerability |
Microsoft Malware Protection Engine | CVE-2019-1161 | Microsoft Defender Elevation of Privilege Vulnerability |
Microsoft NTFS | CVE-2019-1170 | Windows NTFS Elevation of Privilege Vulnerability |
Microsoft Office | CVE-2019-1201 | Microsoft Word Remote Code Execution Vulnerability |
Microsoft Office | CVE-2019-1200 | Microsoft Outlook Remote Code Execution Vulnerability |
Microsoft Office | CVE-2019-1199 | Microsoft Outlook Memory Corruption Vulnerability |
Microsoft Office | CVE-2019-1205 | Microsoft Word Remote Code Execution Vulnerability |
Microsoft Office | CVE-2019-1218 | Outlook iOS Spoofing Vulnerability |
Microsoft Office | CVE-2019-1204 | Microsoft Outlook Elevation of Privilege Vulnerability |
Microsoft Office SharePoint | CVE-2019-1202 | Microsoft SharePoint Information Disclosure Vulnerability |
Microsoft Office SharePoint | CVE-2019-1203 | Microsoft Office SharePoint XSS Vulnerability |
Microsoft Scripting Engine | CVE-2019-1133 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1141 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1131 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1196 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1197 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1140 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1139 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1194 | Scripting Engine Memory Corruption Vulnerability |
Microsoft Scripting Engine | CVE-2019-1195 | Chakra Scripting Engine Memory Corruption Vulnerability |
Microsoft Windows | CVE-2019-1163 | Windows File Signature Security Feature Bypass Vulnerability |
Microsoft Windows | CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1188 | LNK Remote Code Execution Vulnerability |
Microsoft Windows | CVE-2019-1198 | Microsoft Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1177 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1186 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1168 | Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1176 | DirectX Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1174 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1173 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1175 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1179 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1180 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1178 | Windows Elevation of Privilege Vulnerability |
Microsoft Windows | CVE-2019-1172 | Windows Information Disclosure Vulnerability |
Microsoft Windows | CVE-2019-0716 | Windows Denial of Service Vulnerability |
Microsoft XML | CVE-2019-1187 | XmlLite Runtime Denial of Service Vulnerability |
Microsoft XML Core Services | CVE-2019-1057 | MS XML Remote Code Execution Vulnerability |
Visual Studio | CVE-2019-1211 | Git for Visual Studio Elevation of Privilege Vulnerability |
Windows - Linux | CVE-2019-1185 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
Windows DHCP Client | CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability |
Windows DHCP Server | CVE-2019-1213 | Windows DHCP Server Remote Code Execution Vulnerability |
Windows DHCP Server | CVE-2019-1206 | Windows DHCP Server Denial of Service Vulnerability |
Windows DHCP Server | CVE-2019-1212 | Windows DHCP Server Denial of Service Vulnerability |
Windows Hyper-V | CVE-2019-0718 | Windows Hyper-V Denial of Service Vulnerability |
Windows Hyper-V | CVE-2019-0717 | Windows Hyper-V Denial of Service Vulnerability |
Windows Hyper-V | CVE-2019-0714 | Windows Hyper-V Denial of Service Vulnerability |
Windows Hyper-V | CVE-2019-0715 | Windows Hyper-V Denial of Service Vulnerability |
Windows Hyper-V | CVE-2019-0720 | Hyper-V Remote Code Execution Vulnerability |
Windows Hyper-V | CVE-2019-0965 | Windows Hyper-V Remote Code Execution Vulnerability |
Windows Hyper-V | CVE-2019-0723 | Windows Hyper-V Denial of Service Vulnerability |
Windows Kernel | CVE-2019-1164 | Windows Kernel Elevation of Privilege Vulnerability |
Windows Kernel | CVE-2019-1169 | Win32k Elevation of Privilege Vulnerability |
Windows Kernel | CVE-2019-1227 | Windows Kernel Information Disclosure Vulnerability |
Windows Kernel | CVE-2019-1159 | Windows Kernel Elevation of Privilege Vulnerability |
Windows Kernel | CVE-2019-1228 | Windows Kernel Information Disclosure Vulnerability |
Windows Kernel | CVE-2019-1190 | Windows Image Elevation of Privilege Vulnerability |
Windows RDP | CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability |
Windows RDP | CVE-2019-1225 | Remote Desktop Protocol Server Information Disclosure Vulnerability |
Windows RDP | CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability |
Windows RDP | CVE-2019-1223 | Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability |
Windows RDP | CVE-2019-1224 | Remote Desktop Protocol Server Information Disclosure Vulnerability |
Windows RDP | CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability |
Windows RDP | CVE-2019-1222 | Remote Desktop Services Remote Code Execution Vulnerability |
Windows Scripting | CVE-2019-1183 | Windows VBScript Engine Remote Code Execution Vulnerability |
Windows Shell | CVE-2019-1184 | Windows Elevation of Privilege Vulnerability |
Windows SymCrypt | CVE-2019-1171 | SymCrypt Information Disclosure Vulnerability |
NEXT PREV
November Tuesday Microsoft Patches
More vulnerability reports:
- Apple expands bug bounty to macOS, raises bug rewards
- Google will now pay up to $30,000 for reporting a Chrome bugCNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic