Microsoft security alert.

April 9, 2019

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 75 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Windows Adobe Flash Player Security Update for April 2019 (ADV190011)

    Severity
    Critical 4
    Qualys ID
    100365
    Vendor Reference
    ADV190011
    CVE Reference
    CVE-2019-7096, CVE-2019-7108
    CVSS Scores
    Base 10 / Temporal 7.4
    Description
    The update contains security fixes for Adobe Flash Player on Internet Explorer.

    Affected Versions:
    Windows 8 Embedded, Windows 10 Version 1803, Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1809, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2019 and Windows Server 2012 with Adobe Flash Player version prior to 32.0.0.171.

    QID Detection Logic:
    This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is less than or equal to 32.0.0.171.

    Consequence
    Successful exploitation of the vulnerability will lead to information disclosure or arbitrary code execution.

    Solution
    Customers are advised to follow 4493478 for instructions pertaining to the remediation of this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4493478 Windows

  • Microsoft Internet Explorer Security Update for April 2019

    Severity
    Critical 4
    Qualys ID
    100367
    Vendor Reference
    KB4493435, KB4493441, KB4493446, KB4493451, KB4493464, KB4493470, KB4493471, KB4493472, KB4493474, KB4493475, KB4493509
    CVE Reference
    CVE-2019-0752, CVE-2019-0753, CVE-2019-0764, CVE-2019-0835, CVE-2019-0862
    CVSS Scores
    Base 7.6 / Temporal 6.6
    Description
    Microsoft releases the security update for Internet Explorer April 2019

    The KB Articles associated with the update:
    KB4493474
    KB4493446
    KB4493464
    KB4493470
    KB4493475
    KB4493451
    KB4493472
    KB4493471
    KB4493441
    KB4493435
    KB4493509
    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7 Service Pack 1, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.

    This QID checks for the file version of %windir%\System32\mshtml.dll

    The following versions of mshtml.dll with their corresponding KBs are verified:
    1.KB4489871 11.0.15063.1689
    2.KB4493435 10.0.9200.22722, 11.0.9600.19326, 9.0.8112.21329
    3.KB4493441 11.0.16299.1087
    4.KB4493446 11.0.9600.19326
    5.KB4493464 11.0.17134.706
    6.KB4493470 11.0.14393.2906
    7.KB4493472 11.0.9600.19326
    8.KB4493474 11.0.15063.1746
    9.KB4493475 11.0.10240.18186
    10.KB4493509 11.0.17763.437

    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2019

    Severity
    Critical 4
    Qualys ID
    110333
    Vendor Reference
    KB4462204, KB4462209, KB4462213, KB4462223, KB4462230, KB4462236, KB4462242, KB4464504, KB4464510, KB4464511, KB4464515, KB4464518, KB4464520, KB4464525, KB4464528
    CVE Reference
    CVE-2019-0801, CVE-2019-0822, CVE-2019-0823, CVE-2019-0824, CVE-2019-0825, CVE-2019-0826, CVE-2019-0827, CVE-2019-0828, CVE-2019-0830, CVE-2019-0831
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft released security updates in April 2019 to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB4464504
    KB4462242
    KB4462223
    KB4464520
    KB4462204
    KB4462213
    KB4462230
    KB4462236
    KB4462209
    KB4464515
    KB4464510
    KB4464518
    KB4464525
    KB4464511
    KB4464528

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Note: for Office Click to Run , This QID only support "Semi-Annual Channel 1808" at this time.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2019

  • Microsoft Windows Exchange Server Update for April 2019

    Severity
    Critical 4
    Qualys ID
    50091
    Vendor Reference
    April 2019 Security Updates
    CVE Reference
    CVE-2019-0817, CVE-2019-0858
    CVSS Scores
    Base 5.8 / Temporal 4.3
    Description
    Multiple spoofing vulnerability exist in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. To exploit the vulnerability, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link.

    The security update addresses the vulnerability by correcting how OWA validates web requests.

    Affected Software:
    Microsoft Exchange Server 2010 Service Pack 3
    Microsoft Exchange Server 2013 Cumulative Update 22
    Microsoft Exchange Server 2016 Cumulative Update 11
    Microsoft Exchange Server 2016 Cumulative Update 12
    Microsoft Exchange Server 2019
    Microsoft Exchange Server 2019 Cumulative Update 1

    KB Articles covered: KB4491413, KB4487563

    QID Detection Logic (authenticated):
    The QID checks for the version of file Exsetup.exe.
    The version for Microsoft Exchange Server 2010 SP3 is 14.3.452.0
    The version for Microsoft Exchange Server 2013 Cumulative Update 22 is 15.0.1473.4
    The version for Microsoft Exchange Server 2016 Cumulative Update 11 is 15.1.1591.16
    The version for Microsoft Exchange Server 2016 Cumulative Update 12 is 15.1.1713.6
    The version for Microsoft Exchange Server 2019 is 15.2.221.16
    The version for Microsoft Exchange Server 2019 Cumulative Update 1 is 15.2.330.7

    Consequence
    An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or the vulnerability could be used as a pivot to chain an attack with other vulnerabilities in web services.
    Solution
    Customers are advised to refer to April 2019 Security Updates for updates pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    April 2019 Security Updates

  • Microsoft Team Foundation Server Update for April 2019

    Severity
    Critical 4
    Qualys ID
    91520
    Vendor Reference
    April 2019 Security Release
    CVE Reference
    CVE-2019-0857, CVE-2019-0866, CVE-2019-0867, CVE-2019-0868, CVE-2019-0869, CVE-2019-0870, CVE-2019-0871, CVE-2019-0874, CVE-2019-0875
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    The Microsoft Team Foundation Server update for April 2019 remediates the following vulnerabilities:
    CVE-2019-0857: spoofing vulnerability in the Wiki
    CVE-2019-0866: remote code execution vulnerability in Pipelines
    CVE-2019-0867: cross site scripting (XSS) vulnerability in Pipelines
    CVE-2019-0868: cross site scripting (XSS) vulnerability in Pipelines
    CVE-2019-0869: HTML injection vulnerability in Pipelines
    CVE-2019-0870: cross site scripting (XSS) vulnerability in Pipelines
    CVE-2019-0871: cross site scripting (XSS) vulnerability in Pipelines
    CVE-2019-0874: cross site scripting (XSS) vulnerability in Pipelines
    CVE-2019-0875: elevation of privilege vulnerability in Boards

    Affected Software:
    Team Foundation Server 2015 Update 4.1
    Team Foundation Server 2017 Update 3.1
    Team Foundation Server 2018 Update 3.2
    Team Foundation Server 2018 Updated 1.2
    Azure DevOps Server 2019

    QID Detection Logic:
    Operating System: Windows
    This authenticated QID locates file versions via the HKLM\Software\Microsoft\TeamFoundationServer registry key. The following files are checked:
    TFS 2015 Update 4.2 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 14.114.28805.0
    TFS 2018 Update 3.2 Patch 3 - Microsoft.TeamFoundation.WorkItemTracking.Web.dll - 16.131.28728.4.
    TFS 2018 Update 1.2 Patch 3 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 16.122.28801.2
    TFS 2017 Update 3.1 Patch 4 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 15.117.28728.0
    Azure DevOps Server 2019 Patch 1 - Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll - 17.143.28804.3

    Consequence
    The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content.
    Solution
    Customers are advised to refer to April 2019 Security Release for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    April 2019 Security Updates

  • Microsoft Edge Security Update for April 2019

    Severity
    Critical 4
    Qualys ID
    91521
    Vendor Reference
    KB4493441, KB4493464, KB4493470, KB4493474, KB4493475, KB4493509
    CVE Reference
    CVE-2019-0739, CVE-2019-0764, CVE-2019-0806, CVE-2019-0810, CVE-2019-0812, CVE-2019-0829, CVE-2019-0833, CVE-2019-0860, CVE-2019-0861
    CVSS Scores
    Base 7.6 / Temporal 6.3
    Description
    Microsoft releases the security update for Microsoft Edge April 2019

    The KB Articles associated with the update:
    KB4493441
    KB4493464
    KB4493470
    KB4493474
    KB4493475
    KB4493509

    QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.16299.1087 (KB4493441)
    The patch version is 11.0.17134.706 (KB4493464)
    The patch version is 11.0.14393.2906 (KB4493470)
    The patch version is 11.0.15063.1746 (KB4493474)
    The patch version is 11.0.10240.18186 (KB4493475)
    The patch version is 11.0.17763.437 (KB4493509)

    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows Security Update for April 2019

    Severity
    Critical 4
    Qualys ID
    91522
    Vendor Reference
    KB4493441, KB4493446, KB4493448, KB4493450, KB4493451, KB4493458, KB4493464, KB4493467, KB4493470, KB4493471, KB4493472, KB4493474, KB4493475, KB4493509, KB4493552
    CVE Reference
    CVE-2019-0685, CVE-2019-0688, CVE-2019-0730, CVE-2019-0731, CVE-2019-0732, CVE-2019-0735, CVE-2019-0786, CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0793, CVE-2019-0794, CVE-2019-0795, CVE-2019-0796, CVE-2019-0802, CVE-2019-0803, CVE-2019-0805, CVE-2019-0813, CVE-2019-0814, CVE-2019-0836, CVE-2019-0837, CVE-2019-0838, CVE-2019-0839, CVE-2019-0840, CVE-2019-0841, CVE-2019-0842, CVE-2019-0844, CVE-2019-0845, CVE-2019-0846, CVE-2019-0847, CVE-2019-0848, CVE-2019-0849, CVE-2019-0851, CVE-2019-0853, CVE-2019-0856, CVE-2019-0859, CVE-2019-0877, CVE-2019-0879
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Microsoft has released the security update for Windows April 2019

    The KB Articles associated with the update:
    KB4493446
    KB4493467
    KB4493472
    KB4493448
    KB4493451
    KB4493450
    KB4493471
    KB4493458
    KB4493470
    KB4493475
    KB4493474
    KB4493441
    KB4493464
    KB4493509
    KB4493552

    QID Detection Logic(Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
    This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
    The patch version of 6.0.6003.20489(KB4493471 or KB4493458)
    The patch version of 6.1.7601.24408(KB4493472 or KB4493448)
    The patch version of 6.2.9200.22720(KB4493451 or KB4493450)
    The patch version of 6.3.9600.19321(KB4493446 or KB4493467)
    The patch version of 10.0.10240.18186(KB4493475)
    The patch version of 10.0.14393.2906(KB4493470)
    The patch version of 10.0.15063.1746(KB4493474)
    The patch version of 10.0.16299.1087(KB4493441)
    The patch version of 10.0.17134.706(KB4493464)
    The patch version of 10.0.17763.437(KB4493509)

    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows Servicing Stack Security Update April 2019

    Severity
    Serious 3
    Qualys ID
    91523
    Vendor Reference
    KB4493730
    CVE Reference
    N/A
    CVSS Scores
    Base 5.1 / Temporal 3.8
    Description
    Microsoft has released Servicing Stack security updates for Windows Server 2008 SP2.

    The update addresses an issue in the servicing stack when you install an update that has been signed by using only the SHA-2 hash algorithm. The servicing stack updates (SSU) makes sure that the servicing stack is robust and reliable such that devices can receive and install Microsoft security fixes.

    . QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008 Service Pack 2
    This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
    The patch version of 6.0.6003.20484 (KB4493730)

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to refer to advisrory ADV990001for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4493730

  • Microsoft ASP.NET Core Denial Of Service Vulnerability April 2019

    Severity
    Serious 3
    Qualys ID
    91524
    Vendor Reference
    CVE-2019-0815
    CVE Reference
    CVE-2019-0815
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    A denial of service vulnerability exists when ASP.NET Core improperly handles web requests.

    A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the .NET Core application.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of aspnetcorev2.dll. NOTE: Target is vulnerable only if AspNetCoreModuleV2 module is used in their application. Detection does not check for web.config configuration, that is why it is marked under potential category.

    Consequence
    An attacker who successfully exploited this vulnerability can cause a denial of service against an ASP.NET Core web application.
    Solution
    Microsoft has released a patch CVE-2019-0815

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0815

  • Microsoft Windows Admin Center Elevation of Privilege Vulnerability

    Severity
    Serious 3
    Qualys ID
    91525
    Vendor Reference
    KB4493552
    CVE Reference
    CVE-2019-0813
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    Windows Admin Center is a customer-deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PCs.

    An elevation of privilege vulnerability exists when Windows Admin Center improperly impersonates operations in certain situations.

    Affected Products:
    Windows Admin Center prior to 1809.5

    QID Detection Logic (authenticated):
    Operating Systems: Windows 10, Windows 2016, Windows 2019
    The checks the versuib if the file sme.exe, the patched version is 1.1.1903.26001

    Consequence
    Successful exploitation will allow elevation of privileges.

    Solution
    Customers are advised to refer KB4493552for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Windows Admin Center

These new vulnerability checks are included in Qualys vulnerability signature 2.4.576-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100365
    • 100367
    • 110333
    • 50091
    • 91520
    • 91521
    • 91522
    • 91523
    • 91524
    • 91525
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.