Microsoft security alert.

May 14, 2019

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 77 vulnerabilities that were fixed in 12 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 12 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2019

    Severity
    Critical 4
    Qualys ID
    110334
    Vendor Reference
    KB4464536, KB4464549, KB4464551, KB4464556, KB4464561, KB4464564, KB4464567, KB4464573
    CVE Reference
    CVE-2019-0945, CVE-2019-0946, CVE-2019-0947, CVE-2019-0949, CVE-2019-0950, CVE-2019-0951, CVE-2019-0952, CVE-2019-0953, CVE-2019-0956, CVE-2019-0957, CVE-2019-0958, CVE-2019-0963
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft has released May 2019 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB4464561
    KB4464551
    KB4464567
    KB4464564
    KB4464549
    KB4464573
    KB4464536
    KB4464556

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Note: for Office Click to Run , This QID only support "Semi-Annual Channel 1808" at this time.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2019

  • Microsoft Team Foundation Server Update for May 2019

    Severity
    Critical 4
    Qualys ID
    91530
    Vendor Reference
    May Security Release
    CVE Reference
    CVE-2019-0872, CVE-2019-0971, CVE-2019-0979
    CVSS Scores
    Base 9 / Temporal 6.7
    Description
    The Microsoft Team Foundation Server update for May 2019 remediates the following vulnerabilities:
    CVE-2019-0872: cross site scripting (XSS) vulnerability in Test Plans
    CVE-2019-0971: information disclosure vulnerability in the Repos API
    CVE-2019-0979: cross site scripting (XSS) vulnerability in the User hub

    Affected Software:
    Azure DevOps Server 2019 Patch 2
    Team Foundation Server 2015 Update 4.2
    Team Foundation Server 2017 Update 3.1
    Team Foundation Server 2018 Update 1.2
    Team Foundation Server 2018 Update 3.2

    QID Detection Logic:
    This authenticated QID locates file versions via the HKLM\Software\Microsoft\TeamFoundationServer registry key. The following files are checked:
    TFS 2015 Update 4.2 Patch 1 - Microsoft.TeamFoundation.Framework.Server.dll - 14.114.28829.0
    TFS 2017 Update 3.1 Patch 5 - Microsoft.TeamFoundation.Framework.Server.dll - 15.117.28826.0
    TFS 2018 Update 1.2 Patch 4 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 16.122.28826.4
    TFS 2018 Update 3.2 Patch 4 - Microsoft.TeamFoundation.WorkItemTracking.Web.dll - 16.131.28826.3
    Azure DevOps Server 2019 Patch 2 - Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll - 17.143.28826.2

    Consequence
    Depending on the vulnerability being exploited, an attacker could conduct a cross-site scripting vulnerability or gain access to sensitive information.
    Solution
    Customers are advised to refer to May 2019 Security Release for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    May Security Release

  • Microsoft ASP.NET Core Denial Of Service Vulnerability May 2019 (DEPRECATED)

    Severity
    Serious 3
    Qualys ID
    91528
    Vendor Reference
    CVE-2019-0982
    CVE Reference
    CVE-2019-0982
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    A denial of service vulnerability exists when ASP.NET Core improperly handles web requests.

    A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the .NET Core application.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable version of Microsoft.AspNetCore.App and Microsoft.AspNetCore.All
    NOTE: Marking this QID as deprecated as the affected file doesn't contains valid information about version, also in most cases it doesn't get installed with default installation type.

    Consequence
    An attacker who successfully exploited this vulnerability can cause a denial of service against an ASP.NET Core web application.
    Solution
    Microsoft has released a patch CVE-2019-0982

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ASP.NET 2.1.11
    ASP.NET 2.2.5

  • Microsoft Security Update for SQL Server for May 2019

    Severity
    Critical 4
    Qualys ID
    22004
    Vendor Reference
    CVE-2019-0819
    CVE Reference
    CVE-2019-0819
    CVSS Scores
    Base 4 / Temporal 3
    Description
    An information disclosure vulnerability exists in Microsoft SQL Server Analysis Services if it incorrectly enforces metadata permissions. To exploit this vulnerability, an authenticated attacker would need to submit a query to an affected Analysis Services database.

    The security update addresses the vulnerability by correcting how SQL Server Analysis Services enforces permissions.

    Affected Software:
    Microsoft SQL Server 2017 CU 14
    Microsoft SQL Server 2017 CU 14 GDR

    QID Detection Logic:
    This authenticated QID checks for vulnerable MSSQL versions lesser than

    Knowledge base articles:
    KB4494352
    KB4494351

    Consequence
    An attacker could exploit the vulnerability if the attacker's credentials allow access to an affected Analysis Services database.
    Solution
    Customers are advised to refer to CVE-2019-0819 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0819

  • Microsoft Windows Security Update for May 2019

    Severity
    Urgent 5
    Qualys ID
    91529
    Vendor Reference
    KB4494440, KB4494441, KB4499151, KB4499154, KB4499158, KB4499165, KB4499167, KB4499171, KB4499179, KB4499181
    CVE Reference
    CVE-2018-11091, CVE-2019-0707, CVE-2019-0725, CVE-2019-0727, CVE-2019-0733, CVE-2019-0734, CVE-2019-0758, CVE-2019-0863, CVE-2019-0881, CVE-2019-0882, CVE-2019-0885, CVE-2019-0886, CVE-2019-0889, CVE-2019-0890, CVE-2019-0891, CVE-2019-0892, CVE-2019-0893, CVE-2019-0894, CVE-2019-0895, CVE-2019-0896, CVE-2019-0897, CVE-2019-0898, CVE-2019-0899, CVE-2019-0900, CVE-2019-0901, CVE-2019-0902, CVE-2019-0903, CVE-2019-0931, CVE-2019-0936, CVE-2019-0942, CVE-2019-0961
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Microsoft releases the security update for Windows May 2019

    The KB Articles associated with the update:
    KB4499179
    KB4499154
    KB4494440
    KB4499171
    KB4499167
    KB4499181
    KB4499165
    KB4499151
    KB4499158
    KB4494441

    QID Detection Logic:

    This QID checks for the file version of ntoskrnl.exe

    The following versions of ntoskrnl.exe with their corresponding KBs are verified:
    KB4494441 - 10.0.17763.503
    KB4499179 - 10.0.16299.1146
    KB4494440 - 10.0.14393.2969
    KB4499154 - 10.0.10240.18215
    KB4499171 - 6.2.9200.22753
    KB4499181 - 10.0.15063.1805
    KB4499158 - 6.2.9200.22753
    KB4499151 - 6.3.9600.19358
    KB4499165 - 6.3.9600.19358
    KB4499167 - 10.0.17134.765

    Consequence
    An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows Servicing Stack Security Update May 2019

    Severity
    Serious 3
    Qualys ID
    91533
    Vendor Reference
    N/A
    CVE Reference
    N/A
    CVSS Scores
    Base 5.1 / Temporal 3.8
    Description
    Microsoft has released Servicing Stack security updates for Windows 10 RTM, Windows 10 Version 1607/Server 2016, Windows 10 Version 1703, Windows 10 1709/Windows Server, version 1709, Windows 10 1803/Windows Server, version 1803, Windows 10 1809/Server 2019 and Windows 10 1903/Windows Server, version 1903.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 10 RTM, Windows 10 Version 1607/Server 2016, Windows 10 Version 1703, Windows 10 1709/Windows Server, version 1709, Windows 10 1803/Windows Server, version 1803, Windows 10 1809/Server 2019.


    This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
    The patch version of 10.0.10240.18210 (KB4498353)
    The patch version of 10.0.14393.2963 (KB4498947)
    The patch version of 10.0.15063.1802 (KB4500640)
    The patch version of 10.0.17763.503 (KB4499728)

    This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\wcp.dll:
    The patch version of 10.0.16299.1143 (KB4500641)
    The patch version of 10.0.17134.760 (KB4497398)

    Note: The QID currently does not support Windows 10 1903/Windows Server, version 1903.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to refer to advisrory ADV990001for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4497398
    KB4498353
    KB4498947
    KB4499728
    KB4500109
    KB4500640
    KB4500641

  • Microsoft .NET Framework and .NET Core Denial of Service Vulnerability May 2019

    Severity
    Serious 3
    Qualys ID
    91531
    Vendor Reference
    KB4494440, KB4495610, KB4495611, KB4495613, KB4495616, KB4495620, KB4498961, KB4498962, KB4498963, KB4498964, KB4499154, KB4499167, KB4499179, KB4499181, KB4499405, KB4499406, KB4499407, KB4499408, KB4499409
    CVE Reference
    CVE-2019-0820, CVE-2019-0864, CVE-2019-0980, CVE-2019-0981
    CVSS Scores
    Base 5 / Temporal 3.7
    Description
    A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests.
    A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings.
    A denial of service vulnerability exists when .NET Framework improperly handles objects in heap memory.
    KB4499407,KB4498962,KB4499406,KB4498961,KB4499408,KB4498963,KB4499409,KB4498964,KB4499154,KB4499167,KB4499405,KB4494440,KB4499181,KB4499179,KB4495610,KB4495611,KB4495613,KB4495616,KB4495620

    This security update is rated Important for supported versions of Microsoft .NET Framework and .NET Core.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of system.dll for .Net Framework
    This QID checks for the vulnerable file version of dotnet.dll for .net core sdk
    This QID checks for the vulnerable version of Microsoft.NETCore.App under default directory for .version file.

    Consequence
    An attacker who successfully exploited this vulnerability can cause a denial of service against a .NET application.
    Solution
    Customers are advised to refer to CVE-2019-0980, CVE-2019-0981, CVE-2019-0820, CVE-2019-0864 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    .NET CORE 2.1
    .NET CORE 2.2

  • Microsoft Edge Security Update for May 2019

    Severity
    Critical 4
    Qualys ID
    91527
    Vendor Reference
    KB4494440, KB4494441, KB4497936, KB4499154, KB4499167, KB4499179, KB4499181
    CVE Reference
    CVE-2019-0884, CVE-2019-0911, CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0926, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937, CVE-2019-0938, CVE-2019-0940
    CVSS Scores
    Base 7.6 / Temporal 6.3
    Description
    Microsoft releases the security update for Microsoft Edge May 2019

    The KB Articles associated with the update:
    KB4497936
    KB4499154
    KB4499181
    KB4499167
    KB4494441
    KB4499179
    KB4494440

    QID Detection Logic:

    This QID checks for the file version of edgehtml.dll

    The following versions of edgehtml.dll with their corresponding KBs are verified:
    KB4494441 - 11.0.17763.503
    KB4499179 - 11.0.16299.1146
    KB4494440 - 11.0.14393.2969
    KB4499154 - 11.0.10240.18215
    KB4499181 - 11.0.15063.1805
    KB4499167 - 11.0.17134.765

    Consequence
    The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Visual Studio Security Update for May 2019

    Severity
    Critical 4
    Qualys ID
    91526
    Vendor Reference
    CVE-2019-0727
    CVE Reference
    CVE-2019-0727
    CVSS Scores
    Base 7.2 / Temporal 5.3
    Description
    Microsoft Visual Studio contains the following vulnerabilities:
    CVE-2019-0727: An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly performs certain file operations.

    KB Articles associated with this update is: KB4489639

    Affected Software:
    Microsoft Visual Studio 2017 version 15.0
    Microsoft Visual Studio 2015 Update 3
    Microsoft Visual Studio 2017 version 15.9
    Microsoft Visual Studio 2019 version 16.0

    QID Detection Logic:
    This QID detects vulnerable versions of Microsoft Visual Studio by reviewing the file version of devenv.exe or StandardCollector.Service.exe on all instances of Visual Studio.

    Consequence
    An attacker who successfully exploited this vulnerability could delete files in arbitrary locations.
    Solution
    Customers are advised to refer to CVE-2019-0727 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-0727

  • Microsoft Internet Explorer Security Update for May 2019

    Severity
    Critical 4
    Qualys ID
    100371
    Vendor Reference
    KB4494440, KB4494441, KB4497936, KB4498206, KB4499149, KB4499151, KB4499154, KB4499164, KB4499167, KB4499171, KB4499179, KB4499181
    CVE Reference
    CVE-2019-0884, CVE-2019-0911, CVE-2019-0918, CVE-2019-0921, CVE-2019-0929, CVE-2019-0930, CVE-2019-0940, CVE-2019-0995
    CVSS Scores
    Base 7.6 / Temporal 6.3
    Description
    Microsoft releases the security update for Internet Explorer May 2019

    The KB Articles associated with the update:
    KB4499179
    KB4499149
    KB4494440
    KB4499154
    KB4497936
    KB4499171
    KB4499181
    KB4499151
    KB4498206
    KB4499167
    KB4499164
    KB4494441

    QID Detection Logic:

    This QID checks for the file version of Mshtml.dll

    The following versions of Mshtml.dll with their corresponding KBs are verified:
    KB4498206 - 10.0.9200.22750 , 9.0.8112.21333 , 11.0.9600.19354
    KB4499164 - 11.0.9600.19355
    KB4494441 - 11.0.17763.503
    KB4499149 - 9.0.8112.21334
    KB4499179 - 11.0.16299.1146
    KB4494440 - 11.0.14393.2969
    KB4499167 - 11.0.17134.765
    KB4499154 - 11.0.10240.18215
    KB4499171 - 10.0.9200.22752
    KB4499181 - 11.0.15063.1805
    KB4499151 - 11.0.9600.19355

    Consequence
    The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows

  • Microsoft Windows Adobe Flash Player Security Update for May 2019 (ADV190012)

    Severity
    Urgent 5
    Qualys ID
    100370
    Vendor Reference
    ADV190012
    CVE Reference
    CVE-2019-7837
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    The update contains security fixes for Adobe Flash Player on Internet Explorer.

    Affected Versions:
    Windows 8 Embedded, Windows 10 Version 1803, Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1809, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2019 and Windows Server 2012 with Adobe Flash Player version prior to 32.0.0.192.

    QID Detection Logic:
    This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is less than or equal to 32.0.0.192.

    Consequence
    Successful exploitation of the vulnerability will lead to information disclosure or arbitrary code execution.

    Solution
    Customers are advised to follow 4497932 for instructions pertaining to the remediation of this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4497932 Windows

  • Microsoft Dynamics 365 Security Update for May 2019

    Severity
    Critical 4
    Qualys ID
    91532
    Vendor Reference
    CVE-2019-1008
    CVE Reference
    CVE-2019-1008
    CVSS Scores
    Base 4.3 / Temporal 3.2
    Description
    A security feature bypass vulnerability exists in Dynamics On Premise. To exploit the vulnerability, an attacker would need to capture and edit the POST request to include a special character in the extension. The update addresses the vulnerability by blocking files with the special character in the file extension.

    Affected Software:
    Microsoft Dynamics CRM 2015 (on-premises) version 7.0
    Microsoft Dynamics 365 (on-premises) version 8.2
    Microsoft Dynamics 365 (on-premises) version 9.0

    QID Detection Logic:
    This QID detects vulnerable versions by checking if the version of Microsoft.Crm.Setup.Server.exe is lesser than:
    Microsoft Dynamics CRM 2015 (on-premises) version 7.0 - 7.0.3.147
    Microsoft Dynamics 365 (on-premises) version 8.2 - 8.2.6.19
    Microsoft Dynamics 365 (on-premises) version 9.0 - 9.0.4.5

    Knowledge base articles:
    KB4494412
    KB4498363
    KB4499386

    Consequence
    An attacker who exploited the vulnerability could send attachment types that are blocked by the email attachment system.
    Solution
    Customers are advised to refer to CVE-2019-1008 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2019-1008

These new vulnerability checks are included in Qualys vulnerability signature 2.4.603-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110334
    • 91530
    • 91528
    • 22004
    • 91529
    • 91533
    • 91531
    • 91527
    • 91526
    • 100371
    • 100370
    • 91532
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.