Cloud Platform
Community
Support
Try it

Microsoft security alert.

March 12, 2019

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 62 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for March 2019

    Severity
    Critical 4
    Qualys ID
    100363
    Vendor Reference
    KB4489868, KB4489871, KB4489872, KB4489873, KB4489878, KB4489880, KB4489881, KB4489882, KB4489886, KB4489891, KB4489899
    CVE Reference
    CVE-2019-0609, CVE-2019-0665, CVE-2019-0666, CVE-2019-0667, CVE-2019-0680, CVE-2019-0746, CVE-2019-0761, CVE-2019-0762, CVE-2019-0763, CVE-2019-0768, CVE-2019-0780, CVE-2019-0783
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7 Service Pack 1, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.

    This QID checks for the file version of %windir%\System32\mshtml.dll

    The following versions of mshtml.dll with their corresponding KBs are verified:
    1.KB4489868 - 11.0.17134.648
    2.KB4489871 - 11.0.15063.1689
    3.KB4489872 - 11.0.10240.18158
    4.KB4489873 - 10.0.9200.22695, 11.0.9600.19301, 9.0.8112.21322, 8.0.6001.24170
    5.KB4489878 - 11.0.9600.19301
    6.KB4489880 - 9.0.8112.21322
    7.KB4489881 - 11.0.9600.19301
    8.KB4489882 - 11.0.14393.2848
    9.KB4489886 - 11.0.16299.1029
    10.KB4489891 - 10.0.9200.22695
    11.KB4489899 - 11.0.17763.379

    Consequence
    Successful exploitation of these vulnerabilities can lead to arbitrary code execution within the context of the current user.

    Solution
    For more information, refer to the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Adobe Flash Player Security Update for March 2019 (ADV190008)

    Severity
    Serious 3
    Qualys ID
    100364
    Vendor Reference
    ADV190008
    CVE Reference
    N/A
    CVSS Scores
    Base 4.4 / Temporal 3.3
    Description
    The update contains security fixes for Adobe Flash Player on Internet Explorer.

    Affected Versions:
    Windows 8 Embedded, Windows 10 Version 1803, Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1809, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2019 and Windows Server 2012 with Adobe Flash Player version prior to 32.0.0.156.

    QID Detection Logic:
    This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is less than or equal to 32.0.0.156.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to follow 4489907 for instructions pertaining to the remediation of this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV190008

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update March 2019

    Severity
    Serious 3
    Qualys ID
    110332
    Vendor Reference
    KB4462208, KB4462211, KB4462226
    CVE Reference
    CVE-2019-0748, CVE-2019-0778, CVE-2019-0798
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    Microsoft released security updates in March 2019 to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB4462226
    KB4462208
    KB4462211

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update March 2019

  • Microsoft Edge Security Update for March 2019

    Severity
    Critical 4
    Qualys ID
    91509
    Vendor Reference
    KB4489868, KB4489871, KB4489872, KB4489882, KB4489886, KB4489899
    CVE Reference
    CVE-2019-0592, CVE-2019-0609, CVE-2019-0611, CVE-2019-0612, CVE-2019-0639, CVE-2019-0678, CVE-2019-0746, CVE-2019-0762, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771, CVE-2019-0773, CVE-2019-0779, CVE-2019-0780
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.

    The KB Articles associated with the update:
    KB4489899
    KB4489886
    KB4489882
    KB4489872
    KB4489871
    KB4489868

    The QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.17763.379 (KB4489899)
    The patch version is 11.0.16299.1029 (KB4489886)
    The patch version is 11.0.14393.2848 (KB4489882)
    The patch version is 11.0.10240.18158 (KB4489872)
    The patch version is 11.0.15063.1689 (KB4489871)
    The patch version is 11.0.17134.648 (KB4489868)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft Windows Security Update March 2019

    Severity
    Critical 4
    Qualys ID
    91510
    Vendor Reference
    KB4489868, KB4489871, KB4489872, KB4489876, KB4489878, KB4489880, KB4489881, KB4489882, KB4489883, KB4489884, KB4489885, KB4489886, KB4489891, KB4489899
    CVE Reference
    CVE-2019-0603, CVE-2019-0614, CVE-2019-0617, CVE-2019-0682, CVE-2019-0683, CVE-2019-0689, CVE-2019-0690, CVE-2019-0692, CVE-2019-0693, CVE-2019-0694, CVE-2019-0695, CVE-2019-0696, CVE-2019-0697, CVE-2019-0698, CVE-2019-0701, CVE-2019-0702, CVE-2019-0703, CVE-2019-0704, CVE-2019-0726, CVE-2019-0754, CVE-2019-0755, CVE-2019-0756, CVE-2019-0759, CVE-2019-0765, CVE-2019-0766, CVE-2019-0767, CVE-2019-0772, CVE-2019-0774, CVE-2019-0775, CVE-2019-0776, CVE-2019-0782, CVE-2019-0784, CVE-2019-0797, CVE-2019-0808, CVE-2019-0821
    CVSS Scores
    Base 9.3 / Temporal 8.1
    Description
    Remote code execution vulnerability exists in the way that Windows Deployment Services TFTP Server handles objects in memory.(CVE-2019-0603)

    Information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory.(CVE-2019-0614)

    Remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory.(CVE-2019-0617)

    Elevation of privilege vulnerability exists due to an integer overflow in Windows Subsystem for Linux.(CVE-2019-0682,CVE-2019-0692,CVE-2019-0693,CVE-2019-0694)

    Elevation of privilege vulnerability exists in Active Directory Forest trusts due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.(CVE-2019-0683, CVE-2019-0689)

    Denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system.(CVE-2019-0690, CVE-2019-0695, CVE-2019-0701)

    Elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory.(CVE-2019-0696,CVE-2019-0702,CVE-2019-0755)

    Memory corruption vulnerability exists when an attacker sends specially crafted DHCP responses to a client.(CVE-2019-0697,CVE-2019-0698,CVE-2019-0726)

    Information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests.(CVE-2019-0703,CVE-2019-0704,CVE-2019-0821)

    Denial of service vulnerability exists when Windows improperly handles objects in memory.(CVE-2019-0754)

    Remote code execution vulnerability exists when the MSXML parser processes user input.(CVE-2019-0756)

    Information disclosure vulnerability exists when the Windows Print Spooler does not properly handle objects in memory.(CVE-2019-0759)

    Remote code execution vulnerability exists in the way that comctl32.dll handles objects in memory.(CVE-2019-0765)

    Elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations.(CVE-2019-0766)

    Information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.(CVE-2019-0767, CVE-2019-0782)

    Remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory.(CVE-2019-0772)

    Information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory.(CVE-2019-0774)

    Information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory.(CVE-2019-0775)

    Information disclosure vulnerability exists when the win32k component improperly provides kernel information.(CVE-2019-0776)

    Remote code execution vulnerability exists in the way that the ADO handles objects in memory.(CVE-2019-0784)

    Elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.(CVE-2019-0797,CVE-2019-0808)

    QID Detection Logic(Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
    This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
    The patch version of 6.0.6002.24565(KB4489880 or KB44489876)
    The patch version of 6.1.7601.24387(KB4489878 or KB4489885)
    The patch version of 6.2.9200.22702(KB4489884 or KB4489891)
    The patch version of 6.3.9600.19304(KB4489881 or KB44898838)
    The patch version of 10.0.10240.18158(KB4489872)
    The patch version of 10.0.14393.2848(KB4489882)
    The patch version of 10.0.15063.1689(KB4489871)
    The patch version of 10.0.16299.1029(KB4489886)
    The patch version of 10.0.17134.648(KB4489868)
    The patch version of 10.0.17763.379(KB4489899)

    Consequence
    Successful exploitation allows an attacker to remote code execution and take control of an affected system.

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Guidance Windows

  • Microsoft Visual Studio 2017 Security Update March 2019

    Severity
    Critical 4
    Qualys ID
    91511
    Vendor Reference
    Visual Studio 2017 version 15.9.9
    CVE Reference
    CVE-2019-0809
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    A remote code execution vulnerability exists when the Visual Studio C++ Redistributable Installer improperly validates input before loading dynamic link library (DLL) files.

    This security update is rated Important for supported versions of Microsoft Visual Studio 2017.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of devenv.exe on all instances of Visual Studio.

    Consequence
    An attacker who successfully exploited the vulnerability can run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker can take control of the affected system.
    Solution
    Customers are advised to refer to CVE-2019-0809 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Visual Studio 2017 version 15.9.9

  • Microsoft Team Foundation Server Update for March 2019

    Severity
    Critical 4
    Qualys ID
    91512
    Vendor Reference
    CVE-2019-0777
    CVE Reference
    CVE-2019-0777
    CVSS Scores
    Base 3.5 / Temporal 2.6
    Description
    A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content.

    Affected Versions:
    Team Foundation Server 2017 Update 3.1
    Team Foundation Server 2018 Update 1.2
    Team Foundation Server 2018 Update 3.2

    QID Detection Logic:
    Operating System: Windows
    This authenticated QID locates vulnerable Microsoft.TeamFoundation.Server.WebAccess.Admin.dll or Microsoft.TeamFoundation.WorkItemTracking.Web.dll file versions via the HKLM\Software\Microsoft\TeamFoundationServer registry key to detect if they are lower than:
    - 15.117.28627.0
    - 16.122.28627.2
    - 16.131.28626.3

    Consequence
    An authenticated attacker could exploit the vulnerability by transmitting crafted input to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page.
    Solution
    Customers are advised to refer to CVE-2019-0777 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0777

  • Microsoft Windows Servicing Stack Security Update March 2019

    Severity
    Serious 3
    Qualys ID
    91513
    Vendor Reference
    KB4490628
    CVE Reference
    N/A
    CVSS Scores
    Base 5.1 / Temporal 3.8
    Description
    icrosoft has released Servicing Stack security updates for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1.

    The update addresses an issue in the servicing stack when you install an update that has been signed by using only the SHA-2 hash algorithm. The servicing stack updates (SSU) makes sure that the servicing stack is robust and reliable such that devices can receive and install Microsoft security fixes.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1
    This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
    The patch version of 6.1.7601.24383 (KB4490628)

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to refer to advisrory ADV990001for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4490628

  • Microsoft Windows SHA-2 Code Sign Support Update Missing (ADV190009)

    Severity
    Serious 3
    Qualys ID
    91514
    Vendor Reference
    ADV190009
    CVE Reference
    N/A
    CVSS Scores
    Base 4.3 / Temporal 2.9
    Description
    Microsoft has released update to add support for SHA-2 code sign support on Windows 7 SP1, and Windows Server 2008 R2 SP1.

    The updates help verify that regular updates are coming from Microsoft and have not been tampered.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1
    This QID checks for following file versions %windir%\System32\crypt32.dll:
    The patch version of 6.1.7601.24382 (KB4474419)

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to refer to advisrory ADV190009 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV190009

These new vulnerability checks are included in Qualys vulnerability signature 2.4.556-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100363
    • 100364
    • 110332
    • 91509
    • 91510
    • 91511
    • 91512
    • 91513
    • 91514
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.