Microsoft Windows Security Updates March 2019 overview

Martin Brinkmann
Mar 12, 2019
Updated • Apr 9, 2019
Companies, Microsoft
|
18

Today is the third patch day of the year 2019. Microsoft released updates for Microsoft Windows, Office, and other company products on March 12, 2019.

The updates are already available via Windows Update, as direct downloads, and through other updating systems that Microsoft supports.

Our monthly patch overview provides you with detailed information and links to support pages for further analysis.

The overview starts with an executive summary. What follows are statistics, information about cumulative updates for Windows, links to all security and non-security updates that Microsoft released, information about known issues, direct download links, and more.

Here is the link to last month's patch overview in case you missed it.

We suggest that you create backups of the system and data that is important to you before you install any updates.

Microsoft Windows Security Updates March 2019

You may download the following Excel spreadsheet that lists all security updates released for all Microsoft products in March 2019. Click on the following link to download it to your device: (Download Removed)

Executive Summary

  • Microsoft released security products for all client and server based versions of Windows that it supports.
  • The company released security updates for the following products next to that: Internet Explorer, Microsoft Edge, Microsoft Office and SharePoint, Skype for Business, Team Foundation Server, Visual Studio, and NuGet.
  • Microsoft released SHA-2 Code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1 as a security update. See this support article for additional information.

Operating System Distribution

  • Windows 7: 21 vulnerabilities of which 3 are rated critical and 18 are rated important.
    • Same as Windows 10 version 1607
  • Windows 8.1: 20 vulnerabilities of which 3 are rated critical and 17 are rated important.
    • Same as Windows 10 version 1607
  • Windows 10 version 1607:  24 vulnerabilities of which 3 are critical and 21 are important
    •  CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
    • Same as Windows 10 version 1709
  • Windows 10 version 1703:  24 vulnerabilities of which 2 are critical and 22 are important
    • Same as Windows 10 version 1709
  • Windows 10 version 1709: 28 vulnerabilities of which 2 are critical and 26 are important
  • Windows 10 version 1803: 33 vulnerabilities of which 6 are critical and 27 are important
    • same as Windows 10 version 1809
  • Windows 10 version 1809: 33 vulnerabilities of which 6 are critical and 27 are important
    • CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
    • CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability
    • CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability
    • CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability
    • CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability

Windows Server products

  • Windows Server 2008 R2: 21 vulnerabilities of which 3 are critical and 17 are important.
    • Same as Windows Server 2016.
  • Windows Server 2012 R2: 20 vulnerabilities of which 3 are critical and 17 are important.
    • Same as Windows Server 2016.
  • Windows Server 2016: 24 vulnerabilities of which 3 are critical and 21 are important.
    • CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
    • CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability
  • Windows Server 2019: 33 vulnerabilities of which 5 are critical and 27 are important.
    • CVE-2019-0603 | Windows Deployment Services TFTP Server Remote Code Execution Vulnerability
    • CVE-2019-0697 | Windows DHCP Client Remote Code Execution Vulnerability
    • CVE-2019-0698 | Windows DHCP Client Remote Code Execution Vulnerability
    • CVE-2019-0726 | Windows DHCP Client Remote Code Execution Vulnerability
    • CVE-2019-0756 | MS XML Remote Code Execution Vulnerability
    • CVE-2019-0784 | Windows ActiveX Remote Code Execution Vulnerability

Other Microsoft Products

  • Internet Explorer 11: 14 vulnerability, 4 critical, 10 important
  • Microsoft Edge: 14 vulnerabilities, 7 critical, 7 important

Windows Security Updates

Windows 10 version 1809

KB4489899

  • Fixed a tracking and device calibration issue that affected Microsoft HoloLens.
  • Fixed "Error 1309" when installing or removing MSI and MSP files.
  • Fixed the graphics performance degredation issue.
  • Security updates for various Windows components.

Windows 10 version 1803

KB4489868

  • Fixed the "Error 1309" notification.
  • Security updates for various Windows components.

Windows 10 version 1709

KB4489886

  • Fixed "Error 1309".
  • Security updates for various Windows components.

Windows 10 version 1703

KB4489871

  • Fixed "Error 1309".
  • Fixed _isleadbyte_l() returning 0.
  • Security updates for various Windows components.

Windows 10 version 1607 / Server 2016

KB4489882

  • Fixed "Error 1309".
  • Fixed an issue that caused Windows Server to stop working and restarting "when hosting multiple terminal server sessions and a user logs off".
  • Fixed _isleadbyte_l() returning 0.
  • Security updates for various Windows components.

Windows 8.1

KB4489881 Monthly Rollup

  • Fixed the "Error 1309" issue.
  • Fixed an issue with a virtual memory leak and depletion of paged pool.
  • Various security updates for Windows components.

KB4489883 Security-only Update

  • Additional Japanese Era name fixes.
  • Same as Monthly Rollup.

Windows 7 Service Pack 1

KB4489878 Monthly Rollup

  • Fixed an issue that prevented the Event Viewer from showing Network Interface Cards events.
  • Various security updates for Windows components.

KB4489885 Security-only Update

  • Additional Japanese ERA name fixes.
  • Same as Monthly Rollup.

Other security updates

KB4489873 -- Cumulative security update for Internet Explorer: March 12, 2019

KB4474419 -- SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019

KB4486468 -- Security update for the information disclosure vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4486536 -- Security update for the information disclosure vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4486538 -- Security update for the elevation of privilege vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4489493 -- Security update for the information disclosure vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4489876 -- Security Only Quality Update for Windows Server 2008

KB4489880 -- Security Monthly Quality Rollup for Windows Server 2008

KB4489884 --Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4489891 -- Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4489907 -- Adobe Flash Player update

KB4489973 -- Security update for the remote code execution vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4489974 -- Security update for the remote code execution vulnerabilities in Windows Embedded POSReady 2009: March 12, 2019

KB4489977 -- Security update for the remote code execution vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4490228 -- Security update for the remote code execution vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4490385 -- Security update for the information disclosure vulnerabilities in Windows Embedded POSReady 2009: March 12, 2019

KB4490500 -- Security update for the elevation of privilege vulnerabilities in Windows Embedded POSReady 2009: March 12, 2019

KB4490501 -- Security update for the information disclosure vulnerability in Windows Embedded POSReady 2009: March 12, 2019

KB4493341 -- Security update for the information disclosure vulnerability in Windows Embedded POSReady 2009: March 12, 2019

Known Issues

4489878 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup) AND

4489885 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update) AND

4489884 Windows Server 2012 (Security-only update) AND

4489891 Windows Server 2012 (Monthly Rollup)

  • Internet Explorer 10 may have authentication issues
    • Create unique user accounts to avoid same user account sharing and resolve the issue.

4489881 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) AND

4489883 Windows 8.1, Windows Server 2012 R2 (Security-only update)

  • IE11 may have authentication issues.

4489882 Windows 10 version 1607, Windows Server 2016

  • System Center Virtual Machine Manager managed hosts cannot "enumerate and manage logical switches".
    • Run mofcomp on Scvmmswitchportsettings.mof and VMMDHCPSvr.mof
  • Cluster service may fail with error "2245 (NERR_PasswordTooShort)".
    • Set the Minimum Password Length policy to less or equal to 14 characters.
  • IE11 may have authentication issues.

4489899 Windows 10 version 1809, Windows Server 2019

  • IE11 may have authentication issues.
  • Output devices may stop working on devices with multiple audio devices. Affected applications include Windows Media Player, Sound Blaster Control Panel, and Realtek HD Audio Manager.
    • Temporary workaround: set the output device to default.

Security advisories and updates

ADV190008 | March 2019 Adobe Flash Security Update

ADV190010 | Best Practices Regarding Sharing of a Single User Account Across Multiple Users

ADV990001 | Latest Servicing Stack Updates

Non-security related updates

KB4484071 -- Update for Windows Server 2008 R2 and Windows Server 2008

KB4487989 -- Update for POSReady 2009

KB4490628 -- Servicing Stack Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4489723 -- Dynamic Update for for Windows 10 Version 1803

KB890830 -- Windows Malicious Software Removal Tool - March 2019

Microsoft Office Updates

Microsoft released non-security and security updates for supported Microsoft Office products in March 2019. Information is available here.

How to download and install the March 2019 security updates

windows update 2019 march

Windows updates are installed automatically on most systems by default. Windows administrators may speed up the process by searching for updates manually or by downloading them directly from the Microsoft Update Catalog website.

Direct update downloads

Cumulative updates that Microsoft releases as well as other updates get uploaded to the Microsoft Update Catalog website.

You find links to all cumulative updates for client and server versions of Microsoft Windows.

Windows 7 SP1 and Windows Server 2008 R2 SP

  • KB4489878 -- 2019-03 Security Monthly Quality Rollup for Windows 7
  • KB4489885 -- 2019-03 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4489881-- 2019-03 Security Monthly Quality Rollup for Windows 8.1
  • KB4489883 -- 2019-03 Security Only Quality Update for Windows 8.1

Windows 10 and Windows Server 2016 (version 1607)

  • KB4489882 -- 2019-03 Cumulative Update for Windows 10 Version 1607

Windows 10 (version 1703)

  •  KB4489871 -- 2019-03 Cumulative Update for Windows 10 Version 1703

Windows 10 (version 1709)

  • KB4489886-- 2019-03 Cumulative Update for Windows 10 Version 1709

Windows 10 (version 1803)

  • KB4489868 -- 2019-03 Cumulative Update for Windows 10 Version 1803

Windows 10 (version 1809)

  •  KB4489899 -- 2019-03 Cumulative Update for Windows 10 Version 1809

Additional resources

Summary
Microsoft Windows Security Updates March 2019 overview
Article Name
Microsoft Windows Security Updates March 2019 overview
Description
Today is the third patch day of the year 2019. Microsoft released updates for Microsoft Windows, Office, and other company products on March 12, 2019.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. James said on July 5, 2019 at 3:21 am
    Reply

    Ah, that explains why we’re having great trouble getting the Windows Boot Manager to work since Microsoft has “fixed” TFTP.

  2. Rohan said on May 15, 2019 at 12:31 am
    Reply

    thanks! hope his helps with my win7 upgrade.

  3. Catalin said on March 31, 2019 at 4:49 pm
    Reply

    KB4489881 update screwed up both my Windows 8.1 desktop and laptop. As soon as I log in to windows, I get a blue screen showing a BAD_POOL_HEADER error. They only way to fix the issue was to boot in safe mode and uninstall that update. Once that update uninstalled, now both systems are back to normal.

  4. just sum guy said on March 19, 2019 at 9:00 pm
    Reply

    microsoft KB4489892 Offered 2 me ,But Does Not Exist . Win7hp . Probably a rewrite due to all the Boot Issues. I had same Problem. restart press f8. last known good config werked for me.

  5. Danielle Carr said on March 17, 2019 at 5:03 pm
    Reply

    I got the most recent windows update on windows 7(or at least tried to) on March 14 2019. My laptop is basically stuck in the boot up loop. I will boot up, attempt to configure the windows updates, then its says the updates failed and will revert the configuration, but then it shuts down and restarts and does the same thing over again.

    1. Peterc said on March 17, 2019 at 7:48 pm
      Reply

      @Danielle:

      Taking into account that I know nothing about your computer, what method you use to update it, or which updates you were trying to install, if I were you, I would boot into Safe Mode with Networking and try again. It’s apparently important to install the “Servicing Stack” and “SHA2” updates separately from other Windows updates. I would do those first, followed by a reboot. Then do the other updates you want to install. (I don’t know whether Windows Update attempts to do this automatically, since I no longer use Windows Update to update any of the Windows 7 systems I work on.) Conceivably, you may have to cancel (uncheck?) pending installs of updates *other* than Servicing Stack and SHA2 for that initial update-and-reboot round.

      Here’s an article on how to reboot in Safe Mode with Networking:

      Start Windows in Safe Mode or Safe Mode with Networking—ESET Knowledgebase
      https://support.eset.com/kb2268/?locale=en_US&viewlocale=en_US

      If other commenters have better suggestions, I welcome them.

  6. Peterc said on March 15, 2019 at 9:41 pm
    Reply

    I’m running Windows 7 SP1 x64 Pro on a 9-year-old Lenovo ThinkPad T510 with integrated graphics (i.e., with no discrete GPU chip). Also of note: I don’t run Microsoft Office, and I “turned off” Internet Explorer in Programs and Features a couple/few months ago.

    *** EXECUTIVE SUMMARY ***

    March 2019 Patch Tuesday’s *Windows security-only* updates seem to be working fine on my machine.

    *** LONG-WINDED BLOVIATION ***

    I stopped using Windows Update after the September 2016 Patch Tuesday because I no longer trust it not to install updates I don’t want. I changed my Windows Update setting to “don’t check for updates” and even activated the Windows Update firewall blocklist in WPD.

    Instead, I’ve been using WSUS Offline Update to install “security-only” updates since January 2017, always waiting *at least* a couple of days after Patch Tuesday before running it. (It usually takes Belarc Advisor that long to update its database of security updates anyway, and I rely on Belarc for doing pre-update and post-update comparisons, to see whether or not I’m still missing anything. The people who run WSUS Offline Update seem to proactively blacklist seriously problematic updates on their end, but I nonetheless take advantage of the “Belarc delay” to search the Web for relevant bug reports in case I have to manually blacklist additional updates on *my* end. I think I’ve done that maybe *one time* in the 26 months I’ve been using WSUS Offline Update, and I’m not certain that the updates *I* blacklisted hadn’t already been blacklisted by WOU itself. I was still a beginning user back then.)

    Anyway, if there are a bunch of critical updates for scary-sounding vulnerabilities, I tend to update sooner, and if there aren’t, I may wait for up to a week, leaving more time for bug reports to transpire. I always have a freshly cloned drive that I can swap in for the system drive, regardless, in case Patch Tuesday updates end up borking the system despite my precautions. I’ve had to use it on my current computer (which I got used a few years ago) only once — after updating Wireshark, of all things! — but a friend of mine has had to swap in *his* clone at least *five* times, twice after bad MS Office updates and twice after bad Windows updates. (By the way, this was back in the days when he, too, was still using Windows Update.) The other time was around a month ago, after a power outage coupled with a UPS failure irreparably borked his system drive.

    A couple of times I have had to delete a corrupt or inaccurate WSUS Offline Update data/configuration file for the program to “reset” and run — I found *that* solution almost immediately by googling it — but apart from that, it has been pretty smooth sailing, and the March 2019 Patch Tuesday was no exception.

    As usual, I selected the automatic reboot and recall option in WSUS Offline Update’s second installer component/stage, and this time the program went through two reboots. From what *I* saw, it installed the servicing stack and SHA2 updates (along with Silverlight, C++, Remote Desktop, and similar “accessory” updates) on the first reboot, and then installed the Windows security updates proper on the second reboot. The installation log showed no errors or warnings worthy of concern. (Ditto, incidentally, for the download log, after running WSUS Offline Update’s initial download component/stage). Belarc Advisor showed no more missing security updates. (It had previously flagged four as missing.) Finally, WPD indicated that no unwanted diagnostics or telemetry had been reactivated.

    I have always selected the option to automatically display the installation log at the end of the installation stage, and WSUS Offline Update doesn’t load your personal Desktop and settings until you close that log. (It operates in some kind of pre-installation or generic/default-user environment until then.) I’ve noticed that some autostart programs and services don’t always work correctly after WSUS Offline Update reloads my Desktop and settings. Iconoid may not find the Desktop, Windows Explorer may “stop working” and need to be restarted, System Explorer’s Notification Area / System Tray icon may be hidden instead of displayed, and stuff like that. Accordingly, I’ve taken to doing a manual reboot as the final step in the process. It’s the only way to be sure that less obvious stuff didn’t also get screwed up. Even if I didn’t automatically display the installation log, or use automatic reboot and recall, I’d probably *still* do a final manual reboot, for good measure.

    At any rate, everything seems to be working fine for me, so far. I’ll be updating a friend’s computers tomorrow using the same method. Both of his computers have Microsoft Office installed, and one of them has a discrete graphics card. If I run into any problems there, I’ll try to remember to post about them here.

    NOTE: WSUS Offline Update itself was very recently updated, and I’m pretty sure it’s a mandatory update in light of the servicing stack and SHA2 changes. It’s a portable program, so you’ll have to download the new version, unzip it, and overwrite the program’s old files with the download’s new files. Also, this Patch Tuesday the download stage went reasonably quickly but — even taking into account how old and underpowered my computer is — the installation stage took an *unusually* long time (maybe an hour and a half in all?). I’m glad I had a Linux computer to use while the Windows updates were being installed, because I’d already done the dishes, cleaned the kitchen, cleaned the bathroom, and taken out the trash and recycling… ;-)

  7. nkt said on March 15, 2019 at 3:11 pm
    Reply

    The IE cumulative updates are missing from your spreadsheet? wondering if thats intentional

  8. Scott Leach said on March 15, 2019 at 1:10 am
    Reply

    I can’t see any Office updates listed in the spreadsheet?

  9. Dave said on March 14, 2019 at 12:17 am
    Reply

    I tried doing an offline upgrade from 1803 to 1809. I used the media creation tool to make a usb drive. I unplugged my network cable then disabled all my non windows security. I reset all my tweaks (WinAeroTweaker) and I unconfigured the GP for Continue experiences (to avoid breaking the start menu).

    Everything seemed to go ok until I opened Edge. It took 2-3 minutes to open any webpages. I removed all 4 of my extensions, I tried resetting it. I went into safe mode and deleted it and back to normal and reinstalled it, no luck.

    Then I noticed FF took much longer to load any webpages.

    Thankfully there is one thing M4 has managed to make work right. The rollback function!

  10. TelV said on March 13, 2019 at 6:15 pm
    Reply

    @kanade06,

    You might experience problems installing updates in the future if any of them have been signed using only the SHA-2 hash algorithm. The servicing stack addresses that issue according to the KB article: https://support.microsoft.com/en-us/help/4490628/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2

  11. kanade96 said on March 13, 2019 at 12:49 pm
    Reply

    I was able to install Windows 7 64bit security only updates though, it looks like I needed to install 4490628 first before installing this month’s security updates.

    Do I have to install 4490628? There wasn’t any problems with installing this months update and this is the first time I’ve seen these “Servicing stack update” appear in the list.

    1. ilev said on March 13, 2019 at 6:57 pm
      Reply

      KB4490628 is a SHA-2 securityis and is exclusive, meaning you have to install it AFTER all other updates were installed with no errors.

  12. Anonymous said on March 12, 2019 at 11:35 pm
    Reply

    At my Win 10 1809, after this march MS-update, my history of Windows updates is empty.

    I made a list of installed update according:
    https://community.tenable.com/s/article/How-to-Get-a-List-of-All-of-the-Installed-Updates-on-Windows
    to a file update.txt

    I then see a list of Win10 updates which is smaller than I remember from the disappeared Win10-update-history.

    Anyone else this experience?

    1. ilev said on March 13, 2019 at 11:27 am
      Reply

      Yes. It doesn’t list all updates.

  13. ilev said on March 12, 2019 at 9:10 pm
    Reply

    4489899 Windows 10 version 1809 audio stop bug for gamers and non-gamers.

  14. Anonomous said on March 12, 2019 at 7:50 pm
    Reply

    Hi Martin,

    It looks like there is a typo in the 2nd title. It reads “Microsoft Windows Security Updates January 2019” — shouldn’t this be for March? February’s post is also like this.

    1. Martin Brinkmann said on March 12, 2019 at 8:00 pm
      Reply

      Right, thank you!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.