Cloud Platform
Support

Microsoft security alert.

February 12, 2019

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 72 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for February 2019

    Severity
    Critical 4
    Qualys ID
    100359
    Vendor Reference
    KB4486474, KB4486563, KB4486996, KB4487000, KB4487017, KB4487018, KB4487020, KB4487023, KB4487025, KB4487026, KB4487044
    CVE Reference
    CVE-2019-0606, CVE-2019-0654, CVE-2019-0676
    CVSS Scores
    Base 7.6 / Temporal 5.6
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7,Windows Embedded Standard 7 , Windows Embedded 8 Standard, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.

    This QID checks for the file version of %windir%\System32\mshtml.dll

    The following versions of mshtml.dll with their corresponding KBs are verified:
    1.KB4486563 - 11.0.9600.19267
    2.KB4487044 - 11.0.17763.316
    3.KB4487017 - 11.0.17134.590
    4.KB4486474 - 8.0.6001.24159,9.0.8112.21312,10.0.9200.22671,11.0.9600.19267
    5.KB4487020 - 11.0.15063.1631
    6.KB4487023 - 9.0.8112.21312
    7.KB4487025 - 10.0.9200.22671
    8.KB4487026 - 11.0.14393.2791
    9.KB4486996 - 11.0.16299.967
    10.KB4487000 - 11.0.9600.19267
    11.KB4487018 - 11.0.10240.18132

    Consequence
    Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user.

    Solution
    For more information, refer to the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Adobe Flash Player Security Update for February 2019 (ADV190003)

    Severity
    Serious 3
    Qualys ID
    100360
    Vendor Reference
    ADV190003
    CVE Reference
    CVE-2019-7090
    CVSS Scores
    Base 4.3 / Temporal 3.2
    Description
    This security update fixes a Remote Code Execution Bug with the Action Script Virtual Machine (AVM) module, that could lead to information disclosure in the context of the current user.

    Affected Versions:
    Windows 8 Embedded, Windows 10 Version 1803, Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1809, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2019 and Windows Server 2012 with Adobe Flash Player version 32.0.0.114 and earlier.

    QID Detection Logic:
    This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is less than or equal to 32.0.0.114.

    Consequence
    Successful exploitation could lead to Information Disclosure in the context of the current user.

    Solution
    Customers are advised to follow 4487038 for instructions pertaining to the remediation of this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV190003 Windows(Flash)

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2019

    Severity
    Critical 4
    Qualys ID
    110330
    Vendor Reference
    KB4018294, KB4018300, KB4018313, KB4092465, KB4461597, KB4461607, KB4461608, KB4461630, KB4462115, KB4462138, KB4462139, KB4462143, KB4462146, KB4462154, KB4462155, KB4462171, KB4462174, KB4462177, KB4462184, KB4462186, KB4462199, KB4462202, KB4462211
    CVE Reference
    CVE-2019-0540, CVE-2019-0594, CVE-2019-0604, CVE-2019-0668, CVE-2019-0669, CVE-2019-0670, CVE-2019-0671, CVE-2019-0672, CVE-2019-0673, CVE-2019-0674, CVE-2019-0675
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    Microsoft released security updates in February 2019 to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB4018294
    KB4018300
    KB4018313
    KB4092465
    KB4461597
    KB4461607
    KB4461608
    KB4461630
    KB4462115
    KB4462138
    KB4462139
    KB4462143
    KB4462146
    KB4462154
    KB4462155
    KB4462171
    KB4462174
    KB4462177
    KB4462186
    KB4462211
    KB4462202
    KB4462184
    KB4462199

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2019

  • Microsoft Skype for Business 2015 Spoofing Vulnerability

    Severity
    Serious 3
    Qualys ID
    371640
    Vendor Reference
    Skype for Business 2015
    CVE Reference
    CVE-2019-0624
    CVSS Scores
    Base 3.5 / Temporal 2.6
    Description
    Skype for Business Server is real-time communications server software that provides the infrastructure for enterprise instant messaging, presence, VoIP, ad hoc and structured conferences and PSTN connectivity through a third-party gateway or SIP trunk.

    A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Skype for Business server.
    For the vulnerability to be exploited, a user must click a specially crafted URL that takes the user to a targeted Skype for Business site.
    In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user of the targeted Skype for Business site and convincing the user to click the specially crafted URL.

    Affected Versions:
    Skype for Business Server 2015 prior to CU8

    QID Detection Logic:(Authenticated)
    It checks for vulnerable version of Skype Business Server 2015 by checking its fileversion.

    Consequence
    On successful exploitation an attacker could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user which allows unauthorized modification.
    Solution
    The vendor as addressed the vulnerability with Skype Business Server 2015 CU8.
    For more information please visit advisory

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Skype Business Server CU8

  • Microsoft Windows Exchange Server Update for February 2019 (ADV190007)(ADV190004)

    Severity
    Serious 3
    Qualys ID
    53021
    Vendor Reference
    ADV190004, ADV190007, CVE-2019-0686, CVE-2019-0724
    CVE Reference
    CVE-2019-0686, CVE-2019-0724
    CVSS Scores
    Base 9.3 / Temporal 8.4
    Description
    Microsoft Exchange Server is affected by an elevation of privilege vulnerabilities. An attacker who successfully exploits the vulnerability may impersonate any other user of the Exchange server. To exploit this vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user. (ADV190007, CVE-2019-0686 and CVE-2019-0724)

    Microsoft Exchange Server uses certain elements of the Oracle Outside In libraries. This update contains fixes for Oracle Outside as fixed in Oracle Critical Patch Update Advisory - October 2018. (ADV190004)

    Affected Products and Versions:
    Microsoft Exchange Server 2010 Service Pack 3
    Microsoft Exchange Server 2013
    Microsoft Exchange Server 2016
    Microsoft Exchange Server 2019

    QID Detection Logic (authenticated):
    The QID checks for the version of file Exsetup.exe.
    The version for Microsoft Exchange Server 2010 SP3 Cumulative Update 26 is 14.3.442.0
    The version for Microsoft Exchange Server 2013 Cumulative Update 22 is 15.0.1473.3
    The version for Microsoft Exchange Server 2016 Cumulative Update 12 is 15.1.1713.5
    The version for Microsoft Exchange Server 2019 Cumulative Update 1 is 15.2.330.5

    Consequence
    Successful exploitation of the vulnerability will allow elevation of privileges.

    Solution
    Refer to ADV190007, ADV190004, CVE-2019-0686 and CVE-2019-0724 for more details pertaining to these vulnerabilities.

    Workaround:
    To prevent EWS from leaking the Exchange server's NTLM credentials is to block EWS subscriptions from being created.To prevent EWS subscriptions from being created, use the following steps:

    1) Create an organization-scoped policy that blocks all EWS subscriptions:
    New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

    2) Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality:
    New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000

    3) Assign the regular policy to any such users:
    Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

    NOTE: Customer's should test their environment for the above workaround before it is deployed in production as it can be disruptive for some applications.

  • Microsoft Edge Security Update for February 2019

    Severity
    Urgent 5
    Qualys ID
    91502
    Vendor Reference
    KB4486996, KB4487017, KB4487018, KB4487020, KB4487026, KB4487044
    CVE Reference
    CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0634, CVE-2019-0640, CVE-2019-0641, CVE-2019-0642, CVE-2019-0643, CVE-2019-0644, CVE-2019-0645, CVE-2019-0648, CVE-2019-0649, CVE-2019-0650, CVE-2019-0651, CVE-2019-0652, CVE-2019-0654, CVE-2019-0655, CVE-2019-0658
    CVSS Scores
    Base 7.6 / Temporal 5.6
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.

    The KB Articles associated with the update:
    KB4487026
    KB4487018
    KB4487020
    KB4486996
    KB4487017
    KB4487044

    The QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.18132 (KB4487018)
    The patch version is 11.0.14393.2791 (KB4487026)
    The patch version is 11.0.15063.1631 (KB4487020)
    The patch version is 11.0.16299.967 (KB4486996)
    The patch version is 11.0.17134.590 (KB4487017)
    The patch version is 11.0.17763.316 (KB4487044)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft .NET Framework Security Update February 2019

    Severity
    Critical 4
    Qualys ID
    91503
    Vendor Reference
    KB4483449, KB4483450, KB4483451, KB4483452, KB4483453, KB4483454, KB4483455, KB4483456, KB4483457, KB4483458, KB4483459, KB4483468, KB4483469, KB4483470, KB4483472, KB4483473, KB4483474, KB4483481, KB4483482, KB4483483, KB4483484, KB4486996, KB4487017, KB4487018, KB4487020, KB4487026
    CVE Reference
    CVE-2019-0613, CVE-2019-0657
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    A remote code execution vulnerability exists in .NET Framework software when the software fails to check the source markup of a file.

    A vulnerability exists in certain .Net Framework APIs in the way they parse URLs.

    KB4483449, KB4483450, KB4483451, KB4483452, KB4483453, KB4483454, KB4483455, KB4483456, KB4483457, KB4483458, KB4483459, KB4483468, KB4483469, KB4483470, KB4483472, KB4483473, KB4483474, KB4483481, KB4483482, KB4483483, KB4483484, KB4486996, KB4487017, KB4487018, KB4487020, KB4487026 are covered in this QID.

    This security update is rated Important for supported versions of Microsoft .NET Framework.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of system.dll

    Consequence
    An attacker who successfully exploited the vulnerability can run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker can take control of the affected system.
    Solution
    Customers are advised to refer to CVE-2019-0613, CVE-2019-0657 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0657

  • Microsoft Windows Security Update February 2019

    Severity
    Critical 4
    Qualys ID
    91504
    Vendor Reference
    KB4486563, KB4486564, KB4486993, KB4486996, KB4487000, KB4487017, KB4487018, KB4487019, KB4487020, KB4487023, KB4487025, KB4487026, KB4487028, KB4487044
    CVE Reference
    CVE-2019-0595, CVE-2019-0596, CVE-2019-0597, CVE-2019-0598, CVE-2019-0599, CVE-2019-0600, CVE-2019-0601, CVE-2019-0602, CVE-2019-0615, CVE-2019-0616, CVE-2019-0618, CVE-2019-0619, CVE-2019-0621, CVE-2019-0623, CVE-2019-0625, CVE-2019-0626, CVE-2019-0627, CVE-2019-0628, CVE-2019-0630, CVE-2019-0631, CVE-2019-0632, CVE-2019-0633, CVE-2019-0635, CVE-2019-0636, CVE-2019-0637, CVE-2019-0656, CVE-2019-0659, CVE-2019-0660, CVE-2019-0661, CVE-2019-0662, CVE-2019-0663, CVE-2019-0664
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. (CVE-2019-0595, CVE-2019-0596, CVE-2019-0597, CVE-2019-0598, CVE-2019-0599, CVE-2019-0625)
    An information disclosure vulnerability exists when the Human Interface Devices (HID) component improperly handles objects in memory. (CVE-2019-0600, CVE-2019-0601)
    An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. (CVE-2019-0602, CVE-2019-0615, CVE-2019-0616, CVE-2019-0619, CVE-2019-0664)
    A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. (CVE-2019-0618, CVE-2019-0660, CVE-2019-0662)
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2019-0621, CVE-2019-0661)
    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. (CVE-2019-0623)
    A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server. (CVE-2019-0626)
    A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. (CVE-2019-0627, CVE-2019-0631, CVE-2019-0632)
    An information disclosure vulnerability exists when the win32k component improperly provides kernel information. (CVE-2019-0628)
    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests. (CVE-2019-0630, CVE-2019-0633)
    An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0635)
    An information vulnerability exists when Windows improperly discloses file information. (CVE-2019-0636)
    A security feature bypass vulnerability exists when Windows Defender Firewall incorrectly applies firewall profiles to cellular network connections. (CVE-2019-0637)
    An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. (CVE-2019-0656)
    An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. (CVE-2019-0659)
    An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2019-0663)

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
    This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
    The patch version of 6.0.6002.24556 (KB4487023 or KB4487019)
    The patch version of 6.1.7601.24354 (KB4486563 or KB4486564)
    The patch version of 6.2.9200.22672 (KB4487025 or KB4486993)
    The patch version of 6.3.9600.19263 (KB4487000 or KB4487028)
    The patch version of 10.0.10240.18132 (KB4487018)
    The patch version of 10.0.14393.2791 (KB4487026)
    The patch version of 10.0.15063.1631 (KB4487020)
    The patch version of 10.0.16299.967 (KB4486996)
    The patch version of 10.0.17134.590 (KB4487017)
    The patch version of 10.0.17763.316 (KB4487044)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Guidance Windows

  • Microsoft Visual Studio 2017 Security Update February 2019

    Severity
    Critical 4
    Qualys ID
    91505
    Vendor Reference
    Visual Studio 2017 version 15.0 (26228.73), Visual Studio 2017 version 15.9.7
    CVE Reference
    CVE-2019-0613, CVE-2019-0657
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    A remote code execution vulnerability exists in visual studio software when the software fails to check the source markup of a file.

    A vulnerability exists in visual studio in the way they parse URLs.

    This security update is rated Important for supported versions of Microsoft Visual Studio 2017.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of devenv.exe on all instances of Visual Studio.

    Consequence
    An attacker who successfully exploited the vulnerability can run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker can take control of the affected system.
    Solution
    Customers are advised to refer to CVE-2019-0613, CVE-2019-0657 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Visual Studio 2017 version 15.0 (26228.73)
    Visual Studio 2017 version 15.9.7

These new vulnerability checks are included in Qualys vulnerability signature 2.4.537-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100359
    • 100360
    • 110330
    • 371640
    • 53021
    • 91502
    • 91503
    • 91504
    • 91505
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.