Microsoft security alert.
April 9, 2019
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 75 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Windows Adobe Flash Player Security Update for April 2019 (ADV190011)
- Severity
- Critical 4
- Qualys ID
- 100365
- Vendor Reference
- ADV190011
- CVE Reference
- CVE-2019-7096, CVE-2019-7108
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
The update contains security fixes for Adobe Flash Player on Internet Explorer.
Affected Versions:
Windows 8 Embedded, Windows 10 Version 1803, Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1809, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2019 and Windows Server 2012 with Adobe Flash Player version prior to 32.0.0.171.QID Detection Logic:
This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is less than or equal to 32.0.0.171. - Consequence
-
Successful exploitation of the vulnerability will lead to information disclosure or arbitrary code execution.
- Solution
-
Customers are advised to follow 4493478 for instructions pertaining to the remediation of this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4493478 Windows
-
Microsoft Internet Explorer Security Update for April 2019
- Severity
- Critical 4
- Qualys ID
- 100367
- Vendor Reference
- KB4493435, KB4493441, KB4493446, KB4493451, KB4493464, KB4493470, KB4493471, KB4493472, KB4493474, KB4493475, KB4493509
- CVE Reference
- CVE-2019-0752, CVE-2019-0753, CVE-2019-0764, CVE-2019-0835, CVE-2019-0862
- CVSS Scores
- Base 7.6 / Temporal 6.6
- Description
-
Microsoft releases the security update for Internet Explorer April 2019
The KB Articles associated with the update:
KB4493474
KB4493446
KB4493464
KB4493470
KB4493475
KB4493451
KB4493472
KB4493471
KB4493441
KB4493435
KB4493509
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7 Service Pack 1, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.
This QID checks for the file version of %windir%\System32\mshtml.dll
The following versions of mshtml.dll with their corresponding KBs are verified:
1.KB4489871 11.0.15063.1689
2.KB4493435 10.0.9200.22722, 11.0.9600.19326, 9.0.8112.21329
3.KB4493441 11.0.16299.1087
4.KB4493446 11.0.9600.19326
5.KB4493464 11.0.17134.706
6.KB4493470 11.0.14393.2906
7.KB4493472 11.0.9600.19326
8.KB4493474 11.0.15063.1746
9.KB4493475 11.0.10240.18186
10.KB4493509 11.0.17763.437
- Consequence
- Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2019
- Severity
- Critical 4
- Qualys ID
- 110333
- Vendor Reference
- KB4462204, KB4462209, KB4462213, KB4462223, KB4462230, KB4462236, KB4462242, KB4464504, KB4464510, KB4464511, KB4464515, KB4464518, KB4464520, KB4464525, KB4464528
- CVE Reference
- CVE-2019-0801, CVE-2019-0822, CVE-2019-0823, CVE-2019-0824, CVE-2019-0825, CVE-2019-0826, CVE-2019-0827, CVE-2019-0828, CVE-2019-0830, CVE-2019-0831
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft released security updates in April 2019 to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4464504
KB4462242
KB4462223
KB4464520
KB4462204
KB4462213
KB4462230
KB4462236
KB4462209
KB4464515
KB4464510
KB4464518
KB4464525
KB4464511
KB4464528
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.Note: for Office Click to Run , This QID only support "Semi-Annual Channel 1808" at this time.
- Consequence
- Successful exploitation allows an attacker to execute arbitrary code.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2019
-
Microsoft Windows Exchange Server Update for April 2019
- Severity
- Critical 4
- Qualys ID
- 50091
- Vendor Reference
- April 2019 Security Updates
- CVE Reference
- CVE-2019-0817, CVE-2019-0858
- CVSS Scores
- Base 5.8 / Temporal 4.3
- Description
-
Multiple spoofing vulnerability exist in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. To exploit the vulnerability, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link.
The security update addresses the vulnerability by correcting how OWA validates web requests.
Affected Software:
Microsoft Exchange Server 2010 Service Pack 3
Microsoft Exchange Server 2013 Cumulative Update 22
Microsoft Exchange Server 2016 Cumulative Update 11
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2019
Microsoft Exchange Server 2019 Cumulative Update 1KB Articles covered: KB4491413, KB4487563
QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
The version for Microsoft Exchange Server 2010 SP3 is 14.3.452.0
The version for Microsoft Exchange Server 2013 Cumulative Update 22 is 15.0.1473.4
The version for Microsoft Exchange Server 2016 Cumulative Update 11 is 15.1.1591.16
The version for Microsoft Exchange Server 2016 Cumulative Update 12 is 15.1.1713.6
The version for Microsoft Exchange Server 2019 is 15.2.221.16
The version for Microsoft Exchange Server 2019 Cumulative Update 1 is 15.2.330.7 - Consequence
- An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or the vulnerability could be used as a pivot to chain an attack with other vulnerabilities in web services.
- Solution
-
Customers are advised to refer to April 2019 Security Updates for updates pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
April 2019 Security Updates
-
Microsoft Team Foundation Server Update for April 2019
- Severity
- Critical 4
- Qualys ID
- 91520
- Vendor Reference
- April 2019 Security Release
- CVE Reference
- CVE-2019-0857, CVE-2019-0866, CVE-2019-0867, CVE-2019-0868, CVE-2019-0869, CVE-2019-0870, CVE-2019-0871, CVE-2019-0874, CVE-2019-0875
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
The Microsoft Team Foundation Server update for April 2019 remediates the following vulnerabilities:
CVE-2019-0857: spoofing vulnerability in the Wiki
CVE-2019-0866: remote code execution vulnerability in Pipelines
CVE-2019-0867: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0868: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0869: HTML injection vulnerability in Pipelines
CVE-2019-0870: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0871: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0874: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0875: elevation of privilege vulnerability in BoardsAffected Software:
Team Foundation Server 2015 Update 4.1
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 3.2
Team Foundation Server 2018 Updated 1.2
Azure DevOps Server 2019QID Detection Logic:
Operating System: Windows
This authenticated QID locates file versions via the HKLM\Software\Microsoft\TeamFoundationServer registry key. The following files are checked:
TFS 2015 Update 4.2 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 14.114.28805.0
TFS 2018 Update 3.2 Patch 3 - Microsoft.TeamFoundation.WorkItemTracking.Web.dll - 16.131.28728.4.
TFS 2018 Update 1.2 Patch 3 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 16.122.28801.2
TFS 2017 Update 3.1 Patch 4 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 15.117.28728.0
Azure DevOps Server 2019 Patch 1 - Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll - 17.143.28804.3 - Consequence
- The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content.
- Solution
-
Customers are advised to refer to April 2019 Security Release for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
April 2019 Security Updates
-
Microsoft Edge Security Update for April 2019
- Severity
- Critical 4
- Qualys ID
- 91521
- Vendor Reference
- KB4493441, KB4493464, KB4493470, KB4493474, KB4493475, KB4493509
- CVE Reference
- CVE-2019-0739, CVE-2019-0764, CVE-2019-0806, CVE-2019-0810, CVE-2019-0812, CVE-2019-0829, CVE-2019-0833, CVE-2019-0860, CVE-2019-0861
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Microsoft releases the security update for Microsoft Edge April 2019
The KB Articles associated with the update:
KB4493441
KB4493464
KB4493470
KB4493474
KB4493475
KB4493509
QID Detection Logic (Authenticated):
This QID reviews the file version of %windir%\System32\edgehtml.dll
The patch version is 11.0.16299.1087 (KB4493441)
The patch version is 11.0.17134.706 (KB4493464)
The patch version is 11.0.14393.2906 (KB4493470)
The patch version is 11.0.15063.1746 (KB4493474)
The patch version is 11.0.10240.18186 (KB4493475)
The patch version is 11.0.17763.437 (KB4493509)
- Consequence
- Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Windows Security Update for April 2019
- Severity
- Critical 4
- Qualys ID
- 91522
- Vendor Reference
- KB4493441, KB4493446, KB4493448, KB4493450, KB4493451, KB4493458, KB4493464, KB4493467, KB4493470, KB4493471, KB4493472, KB4493474, KB4493475, KB4493509, KB4493552
- CVE Reference
- CVE-2019-0685, CVE-2019-0688, CVE-2019-0730, CVE-2019-0731, CVE-2019-0732, CVE-2019-0735, CVE-2019-0786, CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0794, CVE-2019-0795, CVE-2019-0796, CVE-2019-0802, CVE-2019-0803, CVE-2019-0805, CVE-2019-0813, CVE-2019-0814, CVE-2019-0836, CVE-2019-0837, CVE-2019-0838, CVE-2019-0839, CVE-2019-0840, CVE-2019-0841, CVE-2019-0842, CVE-2019-0844, CVE-2019-0845, CVE-2019-0846, CVE-2019-0847, CVE-2019-0848, CVE-2019-0849, CVE-2019-0851, CVE-2019-0853, CVE-2019-0856, CVE-2019-0859, CVE-2019-0877, CVE-2019-0879
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft has released the security update for Windows April 2019
The KB Articles associated with the update:
KB4493446
KB4493467
KB4493472
KB4493448
KB4493451
KB4493450
KB4493471
KB4493458
KB4493470
KB4493475
KB4493474
KB4493441
KB4493464
KB4493509
KB4493552
QID Detection Logic(Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
The patch version of 6.0.6003.20489(KB4493471 or KB4493458)
The patch version of 6.1.7601.24408(KB4493472 or KB4493448)
The patch version of 6.2.9200.22720(KB4493451 or KB4493450)
The patch version of 6.3.9600.19321(KB4493446 or KB4493467)
The patch version of 10.0.10240.18186(KB4493475)
The patch version of 10.0.14393.2906(KB4493470)
The patch version of 10.0.15063.1746(KB4493474)
The patch version of 10.0.16299.1087(KB4493441)
The patch version of 10.0.17134.706(KB4493464)
The patch version of 10.0.17763.437(KB4493509)
- Consequence
- Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Windows Servicing Stack Security Update April 2019
- Severity
- Serious 3
- Qualys ID
- 91523
- Vendor Reference
- KB4493730
- CVE Reference
- N/A
- CVSS Scores
- Base 5.1 / Temporal 3.8
- Description
-
Microsoft has released Servicing Stack security updates for Windows Server 2008 SP2.
The update addresses an issue in the servicing stack when you install an update that has been signed by using only the SHA-2 hash algorithm. The servicing stack updates (SSU) makes sure that the servicing stack is robust and reliable such that devices can receive and install Microsoft security fixes.
. QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008 Service Pack 2
This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
The patch version of 6.0.6003.20484 (KB4493730)
- Consequence
- Successful exploitation allows attacker to compromise the system.
- Solution
-
Customers are advised to refer to advisrory ADV990001for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4493730
-
Microsoft ASP.NET Core Denial Of Service Vulnerability April 2019
- Severity
- Serious 3
- Qualys ID
- 91524
- Vendor Reference
- CVE-2019-0815
- CVE Reference
- CVE-2019-0815
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests.
A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of aspnetcorev2.dll. NOTE: Target is vulnerable only if AspNetCoreModuleV2 module is used in their application. Detection does not check for web.config configuration, that is why it is marked under potential category. - Consequence
- An attacker who successfully exploited this vulnerability can cause a denial of service against an ASP.NET Core web application.
- Solution
-
Microsoft has released a patch CVE-2019-0815
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-0815
-
Microsoft Windows Admin Center Elevation of Privilege Vulnerability
- Severity
- Serious 3
- Qualys ID
- 91525
- Vendor Reference
- KB4493552
- CVE Reference
- CVE-2019-0813
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
Windows Admin Center is a customer-deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PCs.
An elevation of privilege vulnerability exists when Windows Admin Center improperly impersonates operations in certain situations.
Affected Products:
Windows Admin Center prior to 1809.5QID Detection Logic (authenticated):
Operating Systems: Windows 10, Windows 2016, Windows 2019
The checks the versuib if the file sme.exe, the patched version is 1.1.1903.26001 - Consequence
-
Successful exploitation will allow elevation of privileges.
- Solution
-
Customers are advised to refer KB4493552for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Windows Admin Center
These new vulnerability checks are included in Qualys vulnerability signature 2.4.576-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100365
- 100367
- 110333
- 50091
- 91520
- 91521
- 91522
- 91523
- 91524
- 91525
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.