Windows Server

Patch Tuesday March 2018

This month, Microsoft patches a remote code execution vulnerability for CredSSP, helps Intel distribute microcode updates to protect against Spectre Variant 2, and Office 2016 gets updated to version 1803.



Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

This month’s cumulative update for Windows 1709 64-bit patches twenty-four vulnerabilities in total. Fourteen of which are information disclosure, six privilege elevation, two security feature bypass, one denial of service, and one remote code execution vulnerability. Of particular interest is the remote code execution vulnerability CVE-2018-0886, which affects all supported versions of Windows.

Remote code execution vulnerabilities are especially important to patch because they can be exploited from a remote computer that has access to your network. The vulnerability is in the Credential Security Support Provider (CredSSP) protocol and could allow an attacker to relay credentials to run code on a remote system. CredSSP is used by WinRM and the Remote Desktop Protocol (RDP). In a worst-case scenario, the vulnerability could provide access a domain controller (DC) if an administrator initiates a session to a DC using Remote Desktop.

The patch updates CredSSP and Remote Desktop clients for all affected platforms. But for complete protection, it is not enough to install the patch. System administrators also need to apply some new Group Policy settings that are included in the patch. For more information about the new settings and configuring your environment, see Microsoft’s website here.

Group Policy settings for CredSSP patch (Image Credit: Russell Smith)
Group Policy Settings for CredSSP Patch (Image Credit: Russell Smith)

CVE-2018-0886 isn’t the only remote code vulnerability this month. CVE-2018-0883 patches a problem with the Windows shell and it affects all supported versions of Windows except Windows 1709 64-bit edition. If an attacker was able to exploit the vulnerability, they could get access in the context of the currently logged in user. If the user has administrative access, then the attacker could take control of the device.

There are no critical updates for Windows this month but there are several for Adobe Flash, Edge, and Internet Explorer. The Flash update addresses two critical remote code execution vulnerabilities, Edge – twelve vulnerabilities, and two for Internet Explorer. The Windows denial-of-service (DoS) vulnerability affects Windows 8.1, Windows Server 2008 R2, and all later versions of Windows. A second DoS vulnerability affects ASP.NET Core 2.0, the .NET Framework Core 1.0, 1.1, and 2.0, and PowerShell Core 6.0.0.

There are two import information disclosure vulnerabilities patched for Exchange Server 2016 and an import privilege escalation bug patched for Exchange Server 2010. SharePoint Server 2016 gets nine important privilege escalation fixes and one important information disclosure update. While SharePoint Server 2013 gets two important privilege escalation fixes and one important remote code execution patch. There’s nothing for SQL this month.

Microsoft Distributing Intel Microcode Updates

Microsoft is helping Intel distribute microcode updates that expand protection for the widely-publicized Meltdown and Spectre flaws that hit the headlines in early January. The update addresses extended protection for Spectre Variant 2. Microsoft already released Intel microcode for Windows 10 1709 and Windows Server 1709 (Server Core) that were running on Skylake at the beginning of March. System administrators must download the patches manually from the Microsoft Update Catalog.

On March 13th, Microsoft expanded the patches to include Kaby Lake and Coffee Lake chips. You can download the updates from Microsoft’s website here.

Office 2016

If you have an Office 2016 Click-to-Run installation and are on the semi-annual update channel, you will get version 1803 (build 9126.2072) this month. Apart from noticeable improvements in performance, there’s a host of new features and improvements. Sorting has been brought back to Outlook by popular demand and the Focused Inbox finally makes the cut. Word gets enhanced writing assistance with Editor pane, which provides advanced spelling, grammar, and writing style recommendations.

Outlook 2016 build 1803 (Image Credit: Russell Smith)
Outlook 2016 Build 1803 (Image Credit: Russell Smith)

Problems, Problems, Problems

VMWare is calling out KB4088875 and KB4088878 as problematic.

When applied to a virtualized Windows Server 2008/R2 and/or Windows 7 instances, these patches replace the existing virtual network card (vNIC) with a new one, hides the pre-existing vNIC and does not persist or transfer the existing IP Address configuration to the new vNIC.

And it looks like Microsoft has pulled KB4088875. Read more about the issues here. KB4011730 for Word 2016 breaks opening .doc files if you don’t have the March 6th update (KB4018295) already installed. You can get more information about this issue here.



Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: