Microsoft security alert.

January 8, 2019

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 47 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for January 2019

    Severity
    Critical 4
    Qualys ID
    100351
    Vendor Reference
    KB4480116, KB4480961, KB4480962, KB4480963, KB4480965, KB4480966, KB4480968, KB4480970, KB4480973, KB4480975, KB4480978
    CVE Reference
    CVE-2019-0541
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7,Windows Embedded Standard 7 , Windows Embedded 8 Standard, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.

    This QID checks for the file version of %windir%\System32\mshtml.dll

    The following versions of mshtml.dll with their corresponding KBs are verified:
    1.KB4480970 - 11.0.9600.19236
    2.KB4480965 - 11.2.9600.19236,9.1.8112.21304,10.0.9200.22644,8.0.6001.24147
    3.KB4480963 - 11.0.9600.19236
    4.KB4480961 - 11.0.14393.2724
    5.KB4480962 - 11.0.10240.18094
    6.KB4480973 - 11.0.15063.1563
    7.KB4480966 - 11.0.17134.523
    8.KB4480116 - 11.0.17763.253
    9.KB4480975 - 10.0.9200.22644
    10.KB4480968 - 9.0.8112.21304

    For Windows 10 1709 we check for patched version of %windir%\System32\combase.dll
    KB4480978 - 10.0.16299.904

    Consequence
    Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user.

    Solution
    For more information, refer to the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2019

    Severity
    Critical 4
    Qualys ID
    110328
    Vendor Reference
    KB2553332, KB2596760, KB3172522, KB4022162, KB4461535, KB4461537, KB4461543, KB4461589, KB4461591, KB4461594, KB4461595, KB4461596, KB4461598, KB4461601, KB4461612, KB4461614, KB4461617, KB4461620, KB4461623, KB4461624, KB4461625, KB4461633, KB4461634, KB4461635, KB4462112
    CVE Reference
    CVE-2019-0541, CVE-2019-0556, CVE-2019-0557, CVE-2019-0558, CVE-2019-0559, CVE-2019-0560, CVE-2019-0561, CVE-2019-0562, CVE-2019-0585, CVE-2019-0622
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Microsoft released security updates in January 2019 to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB2553332
    KB2596760
    KB3172522
    KB4022162
    KB4461535
    KB4461537
    KB4461543
    KB4461589
    KB4461591
    KB4461594
    KB4461595
    KB4461596
    KB4461598
    KB4461601
    KB4461612
    KB4461614
    KB4461617
    KB4461620
    KB4461623
    KB4461624
    KB4461625
    KB4461633
    KB4461634
    KB4461635
    KB4462112

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2019

  • Microsoft Windows Exchange Server Update for January 2019

    Severity
    Critical 4
    Qualys ID
    53020
    Vendor Reference
    CVE-2019-0586, CVE-2019-0588
    CVE Reference
    CVE-2019-0586, CVE-2019-0588
    CVSS Scores
    Base 10 / Temporal 7.4
    Description
    CVE-2019-0588: An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The security update addresses the vulnerability by modifying how the Exchange PowerShell API grants permissions to contributors.
    CVE-2019-0586: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

    KB Articles associated with this update are: KB4468742, KB4471389

    Affected Versions:
    Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 25
    Microsoft Exchange Server 2013 Cumulative Update 21
    Microsoft Exchange Server 2016 Cumulative Update 10, 11

    QID Detection Logic (authenticated):
    The QID checks for the version of file Exsetup.exe.
    The version for Microsoft Exchange Server 2016 Cumulative Update 10 is 15.1.1531.8
    The version for Microsoft Exchange Server 2016 Cumulative Update 11 is 15.1.1591.11

    Consequence
    Successful exploitation allows a remote attacker to view additional details about the calendar that would normally be hidden.

    Solution
    Customers are advised to refer to CVE-2019-0588, CVE-2019-0586for information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0588

  • Microsoft Edge Security Update for January 2019

    Severity
    Urgent 5
    Qualys ID
    91493
    Vendor Reference
    KB4480116, KB4480961, KB4480962, KB4480966, KB4480973, KB4480978
    CVE Reference
    CVE-2019-0539, CVE-2019-0565, CVE-2019-0566, CVE-2019-0567, CVE-2019-0568
    CVSS Scores
    Base 7.6 / Temporal 6.3
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.

    The KB Articles associated with the update:
    KB4480116
    KB4480961
    KB4480962
    KB4480966
    KB4480973
    KB4480978

    The QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.18094 (KB4480962)
    The patch version is 11.0.14393.2724 (KB4480961)
    The patch version is 11.0.15063.1563 (KB4480973)
    The patch version is 11.0.16299.846 (KB4480978)
    The patch version is 11.0.17134.523 (KB4480966)
    The patch version is 11.0.17763.253 (KB4480116)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft .NET Framework Security Update January 2019

    Severity
    Critical 4
    Qualys ID
    91494
    Vendor Reference
    4480051, 4480054, 4480055, 4480056, 4480057, 4480058, 4480059, 4480061, 4480062, 4480063, 4480064, 4480070, 4480071, 4480072, 4480074, 4480075, 4480076, 4480083, 4480084, 4480085, 4480086, 4480961, 4480962, 4480966, 4480973, 4480978
    CVE Reference
    CVE-2019-0545
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    An information disclosure vulnerability exists in .NET Framework which allows bypassing Cross-origin Resource Sharing (CORS) configurations.

    KB4480051,KB4480054,KB4480055,KB4480056,KB4480057,KB4480058,KB4480059,KB4480061,KB4480062,KB4480063,KB4480064,KB4480070,KB4480071,KB4480072,KB4480074,KB4480075,KB4480076,KB4480083,KB4480084,KB4480085,KB4480086,KB4480961,KB4480962,KB4480966,KB4480973,KB4480978 are covered in this QID. This security update is rated Important for supported versions of Microsoft .NET Framework.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of system.dll

    Consequence
    An attacker who successfully exploited the vulnerability can retrieve content, that is normally restricted, from a web application.
    Solution
    Customers are advised to refer to CVE-2019-0545 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    4480051
    4480054
    4480055
    4480056
    4480057
    4480058
    4480059
    4480061
    4480062
    4480063
    4480070
    4480071
    4480072
    4480074
    4480075
    4480076
    4480083
    4480084
    4480085
    4480086
    4480961
    4480962
    4480966
    4480973
    4480978
    4480064

  • Microsoft Windows Security Update January 2019

    Severity
    Critical 4
    Qualys ID
    91495
    Vendor Reference
    KB4480116, KB4480957, KB4480960, KB4480961, KB4480962, KB4480963, KB4480964, KB4480966, KB4480968, KB4480970, KB4480972, KB4480973, KB4480975, KB4480978
    CVE Reference
    CVE-2019-0536, CVE-2019-0543, CVE-2019-0547, CVE-2019-0549, CVE-2019-0550, CVE-2019-0551, CVE-2019-0552, CVE-2019-0553, CVE-2019-0554, CVE-2019-0555, CVE-2019-0569, CVE-2019-0570, CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554, CVE-2019-0569)
    An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. (CVE-2019-0543)
    A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. (CVE-2019-0547)
    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0550, CVE-2019-0551)
    An elevation of privilege exists in Windows COM Desktop Broker. (CVE-2019-0552)
    An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. (CVE-2019-0553)
    An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. (CVE-2019-0555)
    An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. (CVE-2019-0570)
    An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. (CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574)
    A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. (CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584)

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
    This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
    The patch version of 6.0.6002.24555 (KB4480968 or KB4480957)
    The patch version of 6.1.7601.24335 (KB4480970 or KB4480960)
    The patch version of 6.2.9200.22638 (KB4480975 or KB4480972)
    The patch version of 6.3.9600.19228 (KB4480963 or KB4480964)
    The patch version of 10.0.10240.18094 (KB4480962)
    The patch version of 10.0.14393.2724 (KB4480961)
    The patch version of 10.0.15063.1563 (KB4480973)
    The patch version of 10.0.16299.904 (KB4480978)
    The patch version of 10.0.17134.523 (KB4480966)
    The patch version of 10.0.17763.253 (KB4480116)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Guidance Windows

  • Microsoft Windows 10 (1703) Servicing Stack Security Update January 2019 (KB4486458)

    Severity
    Serious 3
    Qualys ID
    91496
    Vendor Reference
    KB4486458
    CVE Reference
    N/A
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Microsoft has released Servicing Stack security updates for Windows 10 (Version 1703).

    The update makes quality improvements to the servicing stack, which is the component that installs Windows updates.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 10 version 1703
    This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
    The patch version of 10.0.15063.1563 (KB4486458)

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to refer to advisrory ADV990001for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4486458

  • Microsoft Visual Studio Security Update for January 2019

    Severity
    Critical 4
    Qualys ID
    91497
    Vendor Reference
    CVE-2019-0537, CVE-2019-0546
    CVE Reference
    CVE-2019-0537, CVE-2019-0546
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft Visual Studio contains the following vulnerabilities:
    CVE-2019-0537: An information disclosure vulnerability exists when Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file.
    CVE-2019-0546: A remote code execution vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs.

    KB Articles associated with this update are: KB4476698, KB4476755

    Affected Software:
    Microsoft Visual Studio 2010 Service Pack 1
    Microsoft Visual Studio 2012 Update 5
    Microsoft Visual Studio 2017 version 15.9

    QID Detection Logic:
    This QID detects vulnerable versions of Microsoft Visual Studio by reviewing the file version of devenv.exe on all instances of Visual Studio.

    Consequence
    Successful exploitation allows an attacker to take advantage of the information disclosure vulnerability and view arbitrary file contents from the computer where the victim launched Visual Studio. Additionally, the remote code execution vulnerability could allow the attacker to run arbitrary code in the context of the current user.
    Solution
    Customers are advised to refer to CVE-2019-0537 and CVE-2019-0546 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0537
    CVE-2019-0546

  • Microsoft ASP.NET Core Denial Of Service Vulnerability January 2019

    Severity
    Serious 3
    Qualys ID
    91498
    Vendor Reference
    CVE-2019-0548
    CVE Reference
    CVE-2019-0548
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    A denial of service vulnerability exists when ASP.NET Core improperly handles web requests.

    A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the .NET Core application.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of aspnetcore.dll

    Consequence
    An attacker who successfully exploited this vulnerability can cause a denial of service against an ASP.NET Core web application.
    Solution
    Microsoft has released a patch ASP.NET Core 2.2.1

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ASP.NET Core 2.1
    ASP.NET Core 2.2

These new vulnerability checks are included in Qualys vulnerability signature 2.4.504-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100351
    • 110328
    • 53020
    • 91493
    • 91494
    • 91495
    • 91496
    • 91497
    • 91498
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.