As I received some feedback that I should also add the Urls to the KB articles of the different security fixes I added this information to my blog post.
SharePoint 2010 Suite:
- KB 4461611 – Word Automation Services for SharePoint 2010
- KB 4464571 – SharePoint Server 2010 (core component)
- KB 4461621 – Office Web Apps Server 2010
- KB 4092442 – Project Server 2010
SharePoint 2013 Suite:
- KB 4464602 – SharePoint Foundation 2013 (core component)
- KB 4464597 – SharePoint Server 2013 (core component)
SharePoint 2016 Suite:
- KB 4464594 – SharePoint Server 2016 (language independent)
SharePoint 2019 Suite:
- KB 4475512 – SharePoint Server 2019 (language independent)
Office Online Server:
- KB 4475511 – Office Online Server
See the Security Update Guide below for more details about the relevant fixes:
More information:
Permalink
Hi Stefan, really appreciate the blog. Do you know if this update needs psconfig runningn to apply fix?
Permalink
Hi Joe,
all SharePoint fixes require psconfig.
No exceptions.
Cheers,
Stefan
Permalink
Thanks for such a fast reply. I was just hoping, as the mentioned the ms update install instructions page doesnt say to run it. And having just patched many many farms in a tight timescale for the people picket vulnerability, my heart sank at another important vuln this month.
Permalink
Hi Joe,
if this is SP2016 or SP2019 you can run psconfig in the middle of the day as it does not cause any downtime. Only for SP2010 and SP2013 you have to use a maintenence window.
Cheers,
Stefan
Permalink
Indeed. Alas i have 2010/13 as well still, so its ordinarily not a monthly job to do psconfig. Thanks for the advice though.
Permalink
Hello,
I have tried to install “KB 4464597” but it says no product found. kb2880552 already installed to apply this security update!
Permalink
Hi Amer,
The message indicates that either the fix is already installed or something is wrong with your Installation.
If you are unsure you should open a ticket with Microsoft to get this analyzed.
Cheers,
Stefan
Permalink
Hello Stefan i’ve the same issue on my farm.i can send you log and screenshot
Permalink
Hi Kevin, if you need assistance with this I would recommend to open a support case with Microsoft.
Permalink
Thank you stefan.
KB4464597 is security update replacement for kb4464511 which not installed on the servers. Is it necessary to install “KB4464597”. Whether it’s necessary or not, is using PACKAGE.BYPASS.DETECTION.CHECK=1 to install this update security could cause issue to the servers?.
Permalink
Never use PACKAGE.BYPASS.DETECTION.CHECK=1. This is an undocumented parameter which is only allowed to be used if requested by Microsoft support.
Using this parameter can destabilize your system as required dependencies might not be available and will lead to an unsupported environment.
Permalink
Hello Stefan, On our SharePoint 2013 enterprise farm I installed 4464597. https://support.microsoft.com/en-us/help/4464597/security-update-for-sharepoint-enterprise-server-2013-june-11-2019 . Does this patch resolve the cross site scripting issue or do I need to install the foundation 4464602 bits as well resolve the XSS vulnerability ?
Permalink
Hi Bob,
as you are installing individual security fixes and not the whole CU you need to install both patches as they affect different components.
Cheers,
Stefan
Permalink
First, thank you for this blog.
SharePoint Security Patch use to be Specific to Services like Excel Services, Word Services and Core Services. For about a year now all Security Patches are for Core Services is there any reasons for that ? Next questions that could sound silly is why are we finding security issues every months ? Could we not make SP Secure once for all ? Or at least fix security bugs few times a year but not on a monthly basis ? We have so many servers to patch it is now almost a full time job only for patching. Other than stopping all SharePoint Services when installing the binaries is their any Microsoft Supported Product we can use to add some automation to SharePoint Patching ?
Sorry for these many questions … 🙂
Thank you
Permalink
Hi Stephane,
SharePoint 2010 and 2013 consist of 30+ components which are patched independently.
Core services and Excel services are two of these components. Word automation service is another one and so on.
If there are no excel services fixes in one month it means there was no security fix for excel services in this month.
Cheers,
Stefan