Microsoft security alert.
January 8, 2019
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 47 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for January 2019
- Severity
- Critical 4
- Qualys ID
- 100351
- Vendor Reference
- KB4480116, KB4480961, KB4480962, KB4480963, KB4480965, KB4480966, KB4480968, KB4480970, KB4480973, KB4480975, KB4480978
- CVE Reference
- CVE-2019-0541
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.
Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7,Windows Embedded Standard 7 , Windows Embedded 8 Standard, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.
This QID checks for the file version of %windir%\System32\mshtml.dll
The following versions of mshtml.dll with their corresponding KBs are verified:
1.KB4480970 - 11.0.9600.19236
2.KB4480965 - 11.2.9600.19236,9.1.8112.21304,10.0.9200.22644,8.0.6001.24147
3.KB4480963 - 11.0.9600.19236
4.KB4480961 - 11.0.14393.2724
5.KB4480962 - 11.0.10240.18094
6.KB4480973 - 11.0.15063.1563
7.KB4480966 - 11.0.17134.523
8.KB4480116 - 11.0.17763.253
9.KB4480975 - 10.0.9200.22644
10.KB4480968 - 9.0.8112.21304
For Windows 10 1709 we check for patched version of %windir%\System32\combase.dll
KB4480978 - 10.0.16299.904
- Consequence
-
Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user.
- Solution
-
For more information, refer to the Security Update Guide.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2019
- Severity
- Critical 4
- Qualys ID
- 110328
- Vendor Reference
- KB2553332, KB2596760, KB3172522, KB4022162, KB4461535, KB4461537, KB4461543, KB4461589, KB4461591, KB4461594, KB4461595, KB4461596, KB4461598, KB4461601, KB4461612, KB4461614, KB4461617, KB4461620, KB4461623, KB4461624, KB4461625, KB4461633, KB4461634, KB4461635, KB4462112
- CVE Reference
- CVE-2019-0541, CVE-2019-0556, CVE-2019-0557, CVE-2019-0558, CVE-2019-0559, CVE-2019-0560, CVE-2019-0561, CVE-2019-0562, CVE-2019-0585, CVE-2019-0622
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft released security updates in January 2019 to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB2553332
KB2596760
KB3172522
KB4022162
KB4461535
KB4461537
KB4461543
KB4461589
KB4461591
KB4461594
KB4461595
KB4461596
KB4461598
KB4461601
KB4461612
KB4461614
KB4461617
KB4461620
KB4461623
KB4461624
KB4461625
KB4461633
KB4461634
KB4461635
KB4462112
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
- Successful exploitation allows an attacker to execute arbitrary code.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2019
-
Microsoft Windows Exchange Server Update for January 2019
- Severity
- Critical 4
- Qualys ID
- 53020
- Vendor Reference
- CVE-2019-0586, CVE-2019-0588
- CVE Reference
- CVE-2019-0586, CVE-2019-0588
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
CVE-2019-0588: An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The security update addresses the vulnerability by modifying how the Exchange PowerShell API grants permissions to contributors.
CVE-2019-0586: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.KB Articles associated with this update are: KB4468742, KB4471389
Affected Versions:
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 25
Microsoft Exchange Server 2013 Cumulative Update 21
Microsoft Exchange Server 2016 Cumulative Update 10, 11QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
The version for Microsoft Exchange Server 2016 Cumulative Update 10 is 15.1.1531.8
The version for Microsoft Exchange Server 2016 Cumulative Update 11 is 15.1.1591.11 - Consequence
-
Successful exploitation allows a remote attacker to view additional details about the calendar that would normally be hidden.
- Solution
-
Customers are advised to refer to CVE-2019-0588, CVE-2019-0586for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-0588
-
Microsoft Edge Security Update for January 2019
- Severity
- Urgent 5
- Qualys ID
- 91493
- Vendor Reference
- KB4480116, KB4480961, KB4480962, KB4480966, KB4480973, KB4480978
- CVE Reference
- CVE-2019-0539, CVE-2019-0565, CVE-2019-0566, CVE-2019-0567, CVE-2019-0568
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.
The KB Articles associated with the update:
KB4480116
KB4480961
KB4480962
KB4480966
KB4480973
KB4480978The QID Detection Logic (Authenticated):
This QID reviews the file version of %windir%\System32\edgehtml.dll
The patch version is 11.0.10240.18094 (KB4480962)
The patch version is 11.0.14393.2724 (KB4480961)
The patch version is 11.0.15063.1563 (KB4480973)
The patch version is 11.0.16299.846 (KB4480978)
The patch version is 11.0.17134.523 (KB4480966)
The patch version is 11.0.17763.253 (KB4480116)
- Consequence
-
Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows(Edge)
-
Microsoft .NET Framework Security Update January 2019
- Severity
- Critical 4
- Qualys ID
- 91494
- Vendor Reference
- 4480051, 4480054, 4480055, 4480056, 4480057, 4480058, 4480059, 4480061, 4480062, 4480063, 4480064, 4480070, 4480071, 4480072, 4480074, 4480075, 4480076, 4480083, 4480084, 4480085, 4480086, 4480961, 4480962, 4480966, 4480973, 4480978
- CVE Reference
- CVE-2019-0545
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
An information disclosure vulnerability exists in .NET Framework which allows bypassing Cross-origin Resource Sharing (CORS) configurations.
KB4480051,KB4480054,KB4480055,KB4480056,KB4480057,KB4480058,KB4480059,KB4480061,KB4480062,KB4480063,KB4480064,KB4480070,KB4480071,KB4480072,KB4480074,KB4480075,KB4480076,KB4480083,KB4480084,KB4480085,KB4480086,KB4480961,KB4480962,KB4480966,KB4480973,KB4480978 are covered in this QID. This security update is rated Important for supported versions of Microsoft .NET Framework.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of system.dll - Consequence
- An attacker who successfully exploited the vulnerability can retrieve content, that is normally restricted, from a web application.
- Solution
-
Customers are advised to refer to CVE-2019-0545 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
4480051
4480054
4480055
4480056
4480057
4480058
4480059
4480061
4480062
4480063
4480070
4480071
4480072
4480074
4480075
4480076
4480083
4480084
4480085
4480086
4480961
4480962
4480966
4480973
4480978
4480064
-
Microsoft Windows Security Update January 2019
- Severity
- Critical 4
- Qualys ID
- 91495
- Vendor Reference
- KB4480116, KB4480957, KB4480960, KB4480961, KB4480962, KB4480963, KB4480964, KB4480966, KB4480968, KB4480970, KB4480972, KB4480973, KB4480975, KB4480978
- CVE Reference
- CVE-2019-0536, CVE-2019-0543, CVE-2019-0547, CVE-2019-0549, CVE-2019-0550, CVE-2019-0551, CVE-2019-0552, CVE-2019-0553, CVE-2019-0554, CVE-2019-0555, CVE-2019-0569, CVE-2019-0570, CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554, CVE-2019-0569)
An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. (CVE-2019-0543)
A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. (CVE-2019-0547)
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0550, CVE-2019-0551)
An elevation of privilege exists in Windows COM Desktop Broker. (CVE-2019-0552)
An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. (CVE-2019-0553)
An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. (CVE-2019-0555)
An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. (CVE-2019-0570)
An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. (CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574)
A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. (CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584)QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
The patch version of 6.0.6002.24555 (KB4480968 or KB4480957)
The patch version of 6.1.7601.24335 (KB4480970 or KB4480960)
The patch version of 6.2.9200.22638 (KB4480975 or KB4480972)
The patch version of 6.3.9600.19228 (KB4480963 or KB4480964)
The patch version of 10.0.10240.18094 (KB4480962)
The patch version of 10.0.14393.2724 (KB4480961)
The patch version of 10.0.15063.1563 (KB4480973)
The patch version of 10.0.16299.904 (KB4480978)
The patch version of 10.0.17134.523 (KB4480966)
The patch version of 10.0.17763.253 (KB4480116)
- Consequence
-
Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Guidance Windows
-
Microsoft Windows 10 (1703) Servicing Stack Security Update January 2019 (KB4486458)
- Severity
- Serious 3
- Qualys ID
- 91496
- Vendor Reference
- KB4486458
- CVE Reference
- N/A
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
Microsoft has released Servicing Stack security updates for Windows 10 (Version 1703).
The update makes quality improvements to the servicing stack, which is the component that installs Windows updates.
QID Detection Logic (Authenticated):
Operating Systems: Windows 10 version 1703
This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
The patch version of 10.0.15063.1563 (KB4486458)
- Consequence
- Successful exploitation allows attacker to compromise the system.
- Solution
-
Customers are advised to refer to advisrory ADV990001for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4486458
-
Microsoft Visual Studio Security Update for January 2019
- Severity
- Critical 4
- Qualys ID
- 91497
- Vendor Reference
- CVE-2019-0537, CVE-2019-0546
- CVE Reference
- CVE-2019-0537, CVE-2019-0546
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Visual Studio contains the following vulnerabilities:
CVE-2019-0537: An information disclosure vulnerability exists when Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file.
CVE-2019-0546: A remote code execution vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs.KB Articles associated with this update are: KB4476698, KB4476755
Affected Software:
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2012 Update 5
Microsoft Visual Studio 2017 version 15.9QID Detection Logic:
This QID detects vulnerable versions of Microsoft Visual Studio by reviewing the file version of devenv.exe on all instances of Visual Studio. - Consequence
- Successful exploitation allows an attacker to take advantage of the information disclosure vulnerability and view arbitrary file contents from the computer where the victim launched Visual Studio. Additionally, the remote code execution vulnerability could allow the attacker to run arbitrary code in the context of the current user.
- Solution
-
Customers are advised to refer to CVE-2019-0537 and CVE-2019-0546 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-0537
CVE-2019-0546
-
Microsoft ASP.NET Core Denial Of Service Vulnerability January 2019
- Severity
- Serious 3
- Qualys ID
- 91498
- Vendor Reference
- CVE-2019-0548
- CVE Reference
- CVE-2019-0548
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests.
A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of aspnetcore.dll - Consequence
- An attacker who successfully exploited this vulnerability can cause a denial of service against an ASP.NET Core web application.
- Solution
-
Microsoft has released a patch ASP.NET Core 2.2.1
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ASP.NET Core 2.1
ASP.NET Core 2.2
These new vulnerability checks are included in Qualys vulnerability signature 2.4.504-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100351
- 110328
- 53020
- 91493
- 91494
- 91495
- 91496
- 91497
- 91498
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.