Microsoft Windows Security Updates April 2019 overview

Microsoft released security updates for supported versions of Windows and other company today on the April 9, 2019 Patch Tuesday.

Updates are provided in various ways: via Windows Update, as direct downloads, and through Enterprise updating systems.

Our monthly overview of Microsoft's Patch Day offers detailed information on updates, additional information that is relevant, and links to supported articles.

It starts with an executive summary, and is followed by the statistics, the list of released updates, known issues, and direct download links.

You can check out last month's Patch Day in case you have missed it. As always, it is recommended that systems are backed up before new patches are installed. Note that some users had troubles installing the last cumulative update for Windows 10 version 1809; you can check a possible fix for System Service Exception blue screens here.

Attention: Reports of Windows 7 and 8.1, and Server 2008 R2 / 2012 R2 machines freezing after update installation. Is apparently related to Sophos products, only solution right now is to uninstall the update. Check out this article for more details.

Microsoft Windows Security Updates April 2019

Download the following Excel spreadsheet listing security updates and related information for updates that Microsoft released in April 2019. Click on the following link to download the spreadsheet to your local system: microsoft-windows-security-updates-april-2019.zip

Executive Summary

Windows 10 version 1607 reached end of support for Enterprise and Education customers today.
Windows 10 version 1709 reached end of support for Home, Pro and Pro for Workstations today.
Microsoft released security updates for all client and server versions of Windows.
Other Microsoft software with security updates: Microsoft Edge, Internet Explorer, Microsoft Exchange Server, Team Foundation Server, Azure DevOps Server, Windows Admin Center, Microsoft Office
Microsoft fixed many long standing known issues.
The Update Catalog lists 133 updates.

Operating System Distribution

Windows 7: 29 vulnerabilities of which 6 are rated critical and 23 are rated important (links see W10 1809)
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
Windows 8.1: 31 vulnerabilities of which 7 are rated critical and 24 are rated important (links see W10 1809)
- CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
Windows 10 version 1607: 33 vulnerabilities of which 7 are critical and 26 are important
- critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
Windows 10 version 1703: 35 vulnerabilities of which 7 are critical and 28 are important
- critical issues same as W10 1809 except for CVE-2019-0786 which is not listed.
Windows 10 version 1709: 37 vulnerabilities of which 8 are critical and 29 are important
- critical issues same as W10 1809
Windows 10 version 1803: 37 vulnerabilities of which 8 are critical and 29 are important
- critical issues same as W10 1809
Windows 10 version 1809: 36 vulnerabilities of which 8 are critical and 28 are important
- CVE-2019-0853 | GDI+ Remote Code Execution Vulnerability
- CVE-2019-0845 | Windows IOleCvt Interface Remote Code Execution Vulnerability
- CVE-2019-0795 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0793 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0792 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0791 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0790 | MS XML Remote Code Execution Vulnerability
- CVE-2019-0786 | SMB Server Elevation of Privilege Vulnerability

Windows Server products

Windows Server 2008 R2: 29 vulnerabilities of which 6 are critical and 23 are important.
- same as Windows 7
Windows Server 2012 R2: 31 vulnerabilities of which 7 are critical and 24 are important.
- critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
Windows Server 2016: 33 vulnerabilities of which 7 are critical and 26 are important
- critical issues same as W10 1809 except CVE-2019-0786 which is not listed.
Windows Server 2019: 36 vulnerabilities of which 8 are critical and 28 are important.
- Critical issues same as W10 1809

Other Microsoft Products

Internet Explorer 11: 5 vulnerability, 1 critical, 4 important
Microsoft Edge: 9 vulnerabilities, 7 critical, 2 important

Windows Security Updates

Windows 7 Service Pack 1

Monthly rollups won't include PciClearStaleCache.exe anymore starting with this update. Microsoft advises that administrators make sure that updates between April 20, 2018 and March 12, 2019 are installed prior to installing this update and future monthly rollup updates to make sure that the program is on the system.

The following symptoms may be experienced if the file is not available:

Existing NIC definitions in control panel networks may be replaced with a new Ethernet Network Interface Card (NIC) but with default settings. Any custom settings on the previously NIC persist in the registry but were unused.
Loss of static IP address settings.
Network Flyout does not display certain Wi-Fi profile settings.
Disabling of Wi-Fi network adapters.

KB4493472 -- Monthly Rollup

Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
Fixed an issue that caused the error "0x3B_c0000005_win32k!vSetPointer".
Fixed the netdom.exe error "The command failed to complete successfully" appears.
Fixed the Custom URI Schemes issue.
Fixed the WININET.DLL issue.
Security updates

KB4493448 -- Security only update

Same as monthly rollup except for error "0x3B_c0000005_win32k!vSetPointer" and Custom URI Schemes.

Windows 8.1

KB4493446 -- Monthly Rollup

Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers.
Fixes an issue with MSXML6 that could cause programs to stop responding.
Fixed an issue with the Group Policy Editor that caused it to stop responding when editing Group Policy Preferences for Internet Explorer 10 Internet settings.
Fixed an issue with Custom URI schemes for Application Protocol Handlers.
Fixed an authentication issue in Internet Explorer 11 and other apps that use WININET.DLL.
Security updates for various components.

KB4493467 -- Security-only Update

Same as the Monthly rollup except the Custom URI schemes fix (not listed)

Windows 10 version 1607

KB4493470

Fixed several known issues.
Fixed an issue to meet GB18030 certificate requirements.
Security updates.

Windows 10 version 1703

KB4493474

Fixed several known issues
Security Updates

Windows 10 version 1709

KB4493441

Fixed several known issues
Security Updates

Windows 10 version 1803

KB4493464

Fixed several known issues
Addresses a stop error that occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.
Security updates.

Windows 10 version 1809

KB4493509

Fixed several known issues including EUDC blue screen, MXSML6 stop responding, Group Policy Editor stops responding, WININET.DLL
Security updates

Other security updates

KB4493435 -- Cumulative Security Update for Internet Explorer

KB4491443 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493448 -- Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4493450 -- Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4493451 -- Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4493458 -- Security Only Quality Update for Windows Server 2008

KB4493471 -- Security Monthly Quality Rollup for Windows Server 2008

KB4493472 -- Security Monthly Quality Rollup for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4493478 -- Security Update for Adobe Flash Player

KB4493563 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493730 -- Security Update for Windows Server 2008

KB4493790 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493793 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493794 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493795 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493796 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493797 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4493927 -- Information disclosure vulnerability in Windows Embedded POSReady 2009

KB4494059 -- Remote code execution vulnerability in Windows Embedded POSReady 2009

KB4494528 -- You receive an Error 1309 message when you install an .msi file on Windows Embedded POSReady 2009

KB4495022 -- Information disclosure vulnerability in Windows Embedded POSReady 2009

Known Issues

Windows 7 Service Pack 1

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. Workarounds available.

Windows 8.1

Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. Workarounds available.

Windows 10 version 1607

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

And the Windows 7 SP1 issue.

Windows 10 version 1607 and newer

After installing the Internet Explorer cumulative update, custom URI schemes for application protocol handlers may not work properly in Internet Explorer. Workaround available.

Windows 10 version 1803

Same as Windows 7 SP1

Windows 10 version 1809, Windows Server 2016

Same as Windows 7 SP1

Security advisories and updates

ADV190011 | April 2019 Adobe Flash Security Update

ADV990001 | Latest Servicing Stack Updates

Non-security related updates

KB4487990 -- Update for POSReady 2009

KB890830 -- Windows Malicious Software Removal Tool - April 2019

Microsoft Office Updates

You find a list of all released updates for Microsoft Office -- security and non-security - here.

How to download and install the April 2019 security updates

Windows Updates get installed automatically on Home systems by default. You can block or delay the installation of updates on these systems.

It is not recommended to run a manual check for updates as it may lead to the installation of preview updates or feature updates, but you may do so in the following way:

Open the Start Menu.
Type Windows Update.
Click on the "check for updates" button to run a manual check.

You may use third-party tools like the excellent Windows Update Manager or Windows Update Minitool to download updates.

Direct update downloads

Microsoft makes available all cumulative updates that it releases for Windows as direct downloads on the Microsoft Update Catalog website. Follow the links listed below to go there for the listed version of Windows.

Windows 7 SP1 and Windows Server 2008 R2 SP

KB4493472 -- 2019-04 Security Monthly Quality Rollup for Windows 7
KB4493448 -- 2019-04 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

KB4493446 -- 2019-04 Security Monthly Quality Rollup for Windows 8.1
KB4493467 -- 2019-04 Security Only Quality Update for Windows 8.1

Windows 10 and Windows Server 2016 (version 1607)

KB4493470 -- 2019-04 Cumulative Update for Windows 10 Version 1607

Windows 10 (version 1703)

KB4493474 -- 2019-04 Cumulative Update for Windows 10 Version 1703

Windows 10 (version 1709)

KB4493441 -- 2019-04 Cumulative Update for Windows 10 Version 1709

Windows 10 (version 1803)

KB4493464 -- 2019-04 Cumulative Update for Windows 10 Version 1803

Windows 10 (version 1809)

KB4493509 -- 2019-04 Cumulative Update for Windows 10 Version 1809

Additional resources

April 2019 Security Updates release notes
List of software updates for Microsoft products
List of the latest Windows Updates and Services Packs
Security Updates Guide
Microsoft Update Catalog site
Our in-depth Windows update guide
How to install optional updates on Windows 10
Windows 10 Update History
Windows 8.1 Update History
Windows 7 Update History