Microsoft security alert.
May 14, 2019
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 77 vulnerabilities that were fixed in 12 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 12 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2019
- Severity
- Critical 4
- Qualys ID
- 110334
- Vendor Reference
- KB4464536, KB4464549, KB4464551, KB4464556, KB4464561, KB4464564, KB4464567, KB4464573
- CVE Reference
- CVE-2019-0945, CVE-2019-0946, CVE-2019-0947, CVE-2019-0949, CVE-2019-0950, CVE-2019-0951, CVE-2019-0952, CVE-2019-0953, CVE-2019-0956, CVE-2019-0957, CVE-2019-0958, CVE-2019-0963
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released May 2019 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4464561
KB4464551
KB4464567
KB4464564
KB4464549
KB4464573
KB4464536
KB4464556
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.Note: for Office Click to Run , This QID only support "Semi-Annual Channel 1808" at this time.
- Consequence
- Successful exploitation allows an attacker to execute arbitrary code.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2019
-
Microsoft Team Foundation Server Update for May 2019
- Severity
- Critical 4
- Qualys ID
- 91530
- Vendor Reference
- May Security Release
- CVE Reference
- CVE-2019-0872, CVE-2019-0971, CVE-2019-0979
- CVSS Scores
- Base 9 / Temporal 6.7
- Description
-
The Microsoft Team Foundation Server update for May 2019 remediates the following vulnerabilities:
CVE-2019-0872: cross site scripting (XSS) vulnerability in Test Plans
CVE-2019-0971: information disclosure vulnerability in the Repos API
CVE-2019-0979: cross site scripting (XSS) vulnerability in the User hubAffected Software:
Azure DevOps Server 2019 Patch 2
Team Foundation Server 2015 Update 4.2
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2QID Detection Logic:
This authenticated QID locates file versions via the HKLM\Software\Microsoft\TeamFoundationServer registry key. The following files are checked:
TFS 2015 Update 4.2 Patch 1 - Microsoft.TeamFoundation.Framework.Server.dll - 14.114.28829.0
TFS 2017 Update 3.1 Patch 5 - Microsoft.TeamFoundation.Framework.Server.dll - 15.117.28826.0
TFS 2018 Update 1.2 Patch 4 - Microsoft.TeamFoundation.Server.WebAccess.Admin.dll - 16.122.28826.4
TFS 2018 Update 3.2 Patch 4 - Microsoft.TeamFoundation.WorkItemTracking.Web.dll - 16.131.28826.3
Azure DevOps Server 2019 Patch 2 - Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll - 17.143.28826.2 - Consequence
- Depending on the vulnerability being exploited, an attacker could conduct a cross-site scripting vulnerability or gain access to sensitive information.
- Solution
-
Customers are advised to refer to May 2019 Security Release for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
May Security Release
-
Microsoft ASP.NET Core Denial Of Service Vulnerability May 2019 (DEPRECATED)
- Severity
- Serious 3
- Qualys ID
- 91528
- Vendor Reference
- CVE-2019-0982
- CVE Reference
- CVE-2019-0982
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests.
A remote unauthenticated attacker can exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable version of Microsoft.AspNetCore.App and Microsoft.AspNetCore.All
NOTE: Marking this QID as deprecated as the affected file doesn't contains valid information about version, also in most cases it doesn't get installed with default installation type. - Consequence
- An attacker who successfully exploited this vulnerability can cause a denial of service against an ASP.NET Core web application.
- Solution
-
Microsoft has released a patch CVE-2019-0982
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ASP.NET 2.1.11
ASP.NET 2.2.5
-
Microsoft Security Update for SQL Server for May 2019
- Severity
- Critical 4
- Qualys ID
- 22004
- Vendor Reference
- CVE-2019-0819
- CVE Reference
- CVE-2019-0819
- CVSS Scores
- Base 4 / Temporal 3
- Description
-
An information disclosure vulnerability exists in Microsoft SQL Server Analysis Services if it incorrectly enforces metadata permissions. To exploit this vulnerability, an authenticated attacker would need to submit a query to an affected Analysis Services database.
The security update addresses the vulnerability by correcting how SQL Server Analysis Services enforces permissions.
Affected Software:
Microsoft SQL Server 2017 CU 14
Microsoft SQL Server 2017 CU 14 GDRQID Detection Logic:
This authenticated QID checks for vulnerable MSSQL versions lesser thanKnowledge base articles:
KB4494352
KB4494351 - Consequence
- An attacker could exploit the vulnerability if the attacker's credentials allow access to an affected Analysis Services database.
- Solution
-
Customers are advised to refer to CVE-2019-0819 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-0819
-
Microsoft Windows Security Update for May 2019
- Severity
- Urgent 5
- Qualys ID
- 91529
- Vendor Reference
- KB4494440, KB4494441, KB4499151, KB4499154, KB4499158, KB4499165, KB4499167, KB4499171, KB4499179, KB4499181
- CVE Reference
- CVE-2018-11091, CVE-2019-0707, CVE-2019-0725, CVE-2019-0727, CVE-2019-0733, CVE-2019-0734, CVE-2019-0758, CVE-2019-0863, CVE-2019-0881, CVE-2019-0882, CVE-2019-0885, CVE-2019-0886, CVE-2019-0889, CVE-2019-0890, CVE-2019-0891, CVE-2019-0892, CVE-2019-0893, CVE-2019-0894, CVE-2019-0895, CVE-2019-0896, CVE-2019-0897, CVE-2019-0898, CVE-2019-0899, CVE-2019-0900, CVE-2019-0901, CVE-2019-0902, CVE-2019-0903, CVE-2019-0931, CVE-2019-0936, CVE-2019-0942, CVE-2019-0961
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft releases the security update for Windows May 2019
The KB Articles associated with the update:
KB4499179
KB4499154
KB4494440
KB4499171
KB4499167
KB4499181
KB4499165
KB4499151
KB4499158
KB4494441
QID Detection Logic:
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB4494441 - 10.0.17763.503
KB4499179 - 10.0.16299.1146
KB4494440 - 10.0.14393.2969
KB4499154 - 10.0.10240.18215
KB4499171 - 6.2.9200.22753
KB4499181 - 10.0.15063.1805
KB4499158 - 6.2.9200.22753
KB4499151 - 6.3.9600.19358
KB4499165 - 6.3.9600.19358
KB4499167 - 10.0.17134.765
- Consequence
- An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Windows Servicing Stack Security Update May 2019
- Severity
- Serious 3
- Qualys ID
- 91533
- Vendor Reference
- N/A
- CVE Reference
- N/A
- CVSS Scores
- Base 5.1 / Temporal 3.8
- Description
-
Microsoft has released Servicing Stack security updates for Windows 10 RTM, Windows 10 Version 1607/Server 2016, Windows 10 Version 1703, Windows 10 1709/Windows Server, version 1709, Windows 10 1803/Windows Server, version 1803, Windows 10 1809/Server 2019 and Windows 10 1903/Windows Server, version 1903.
QID Detection Logic (Authenticated):
Operating Systems: Windows 10 RTM, Windows 10 Version 1607/Server 2016, Windows 10 Version 1703, Windows 10 1709/Windows Server, version 1709, Windows 10 1803/Windows Server, version 1803, Windows 10 1809/Server 2019.
This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
The patch version of 10.0.10240.18210 (KB4498353)
The patch version of 10.0.14393.2963 (KB4498947)
The patch version of 10.0.15063.1802 (KB4500640)
The patch version of 10.0.17763.503 (KB4499728)
This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\wcp.dll:
The patch version of 10.0.16299.1143 (KB4500641)
The patch version of 10.0.17134.760 (KB4497398)Note: The QID currently does not support Windows 10 1903/Windows Server, version 1903.
- Consequence
- Successful exploitation allows attacker to compromise the system.
- Solution
-
Customers are advised to refer to advisrory ADV990001for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4497398
KB4498353
KB4498947
KB4499728
KB4500109
KB4500640
KB4500641
-
Microsoft .NET Framework and .NET Core Denial of Service Vulnerability May 2019
- Severity
- Serious 3
- Qualys ID
- 91531
- Vendor Reference
- KB4494440, KB4495610, KB4495611, KB4495613, KB4495616, KB4495620, KB4498961, KB4498962, KB4498963, KB4498964, KB4499154, KB4499167, KB4499179, KB4499181, KB4499405, KB4499406, KB4499407, KB4499408, KB4499409
- CVE Reference
- CVE-2019-0820, CVE-2019-0864, CVE-2019-0980, CVE-2019-0981
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests.
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings.
A denial of service vulnerability exists when .NET Framework improperly handles objects in heap memory.
KB4499407,KB4498962,KB4499406,KB4498961,KB4499408,KB4498963,KB4499409,KB4498964,KB4499154,KB4499167,KB4499405,KB4494440,KB4499181,KB4499179,KB4495610,KB4495611,KB4495613,KB4495616,KB4495620This security update is rated Important for supported versions of Microsoft .NET Framework and .NET Core.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of system.dll for .Net Framework
This QID checks for the vulnerable file version of dotnet.dll for .net core sdk
This QID checks for the vulnerable version of Microsoft.NETCore.App under default directory for .version file.
- Consequence
- An attacker who successfully exploited this vulnerability can cause a denial of service against a .NET application.
- Solution
-
Customers are advised to refer to CVE-2019-0980, CVE-2019-0981, CVE-2019-0820, CVE-2019-0864 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
.NET CORE 2.1
.NET CORE 2.2
-
Microsoft Edge Security Update for May 2019
- Severity
- Critical 4
- Qualys ID
- 91527
- Vendor Reference
- KB4494440, KB4494441, KB4497936, KB4499154, KB4499167, KB4499179, KB4499181
- CVE Reference
- CVE-2019-0884, CVE-2019-0911, CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0926, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937, CVE-2019-0938, CVE-2019-0940
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Microsoft releases the security update for Microsoft Edge May 2019
The KB Articles associated with the update:
KB4497936
KB4499154
KB4499181
KB4499167
KB4494441
KB4499179
KB4494440
QID Detection Logic:
This QID checks for the file version of edgehtml.dll
The following versions of edgehtml.dll with their corresponding KBs are verified:
KB4494441 - 11.0.17763.503
KB4499179 - 11.0.16299.1146
KB4494440 - 11.0.14393.2969
KB4499154 - 11.0.10240.18215
KB4499181 - 11.0.15063.1805
KB4499167 - 11.0.17134.765
- Consequence
- The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Visual Studio Security Update for May 2019
- Severity
- Critical 4
- Qualys ID
- 91526
- Vendor Reference
- CVE-2019-0727
- CVE Reference
- CVE-2019-0727
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft Visual Studio contains the following vulnerabilities:
CVE-2019-0727: An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly performs certain file operations.KB Articles associated with this update is: KB4489639
Affected Software:
Microsoft Visual Studio 2017 version 15.0
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2019 version 16.0QID Detection Logic:
This QID detects vulnerable versions of Microsoft Visual Studio by reviewing the file version of devenv.exe or StandardCollector.Service.exe on all instances of Visual Studio. - Consequence
- An attacker who successfully exploited this vulnerability could delete files in arbitrary locations.
- Solution
-
Customers are advised to refer to CVE-2019-0727 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-0727
-
Microsoft Internet Explorer Security Update for May 2019
- Severity
- Critical 4
- Qualys ID
- 100371
- Vendor Reference
- KB4494440, KB4494441, KB4497936, KB4498206, KB4499149, KB4499151, KB4499154, KB4499164, KB4499167, KB4499171, KB4499179, KB4499181
- CVE Reference
- CVE-2019-0884, CVE-2019-0911, CVE-2019-0918, CVE-2019-0921, CVE-2019-0929, CVE-2019-0930, CVE-2019-0940, CVE-2019-0995
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Microsoft releases the security update for Internet Explorer May 2019
The KB Articles associated with the update:
KB4499179
KB4499149
KB4494440
KB4499154
KB4497936
KB4499171
KB4499181
KB4499151
KB4498206
KB4499167
KB4499164
KB4494441
QID Detection Logic:
This QID checks for the file version of Mshtml.dll
The following versions of Mshtml.dll with their corresponding KBs are verified:
KB4498206 - 10.0.9200.22750 , 9.0.8112.21333 , 11.0.9600.19354
KB4499164 - 11.0.9600.19355
KB4494441 - 11.0.17763.503
KB4499149 - 9.0.8112.21334
KB4499179 - 11.0.16299.1146
KB4494440 - 11.0.14393.2969
KB4499167 - 11.0.17134.765
KB4499154 - 11.0.10240.18215
KB4499171 - 10.0.9200.22752
KB4499181 - 11.0.15063.1805
KB4499151 - 11.0.9600.19355
- Consequence
- The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Windows Adobe Flash Player Security Update for May 2019 (ADV190012)
- Severity
- Urgent 5
- Qualys ID
- 100370
- Vendor Reference
- ADV190012
- CVE Reference
- CVE-2019-7837
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
The update contains security fixes for Adobe Flash Player on Internet Explorer.
Affected Versions:
Windows 8 Embedded, Windows 10 Version 1803, Windows Server 2016, Windows 10 Version 1709, Windows 10 Version 1809, Windows 10 Version 1703, Windows 10 Version 1607, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, Windows Server 2019 and Windows Server 2012 with Adobe Flash Player version prior to 32.0.0.192.QID Detection Logic:
This authenticated QID will flag if file version of %windir%\System32\Macromed\Flash\Flash.ocx is less than or equal to 32.0.0.192. - Consequence
-
Successful exploitation of the vulnerability will lead to information disclosure or arbitrary code execution.
- Solution
-
Customers are advised to follow 4497932 for instructions pertaining to the remediation of this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4497932 Windows
-
Microsoft Dynamics 365 Security Update for May 2019
- Severity
- Critical 4
- Qualys ID
- 91532
- Vendor Reference
- CVE-2019-1008
- CVE Reference
- CVE-2019-1008
- CVSS Scores
- Base 4.3 / Temporal 3.2
- Description
-
A security feature bypass vulnerability exists in Dynamics On Premise. To exploit the vulnerability, an attacker would need to capture and edit the POST request to include a special character in the extension. The update addresses the vulnerability by blocking files with the special character in the file extension.
Affected Software:
Microsoft Dynamics CRM 2015 (on-premises) version 7.0
Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft Dynamics 365 (on-premises) version 9.0QID Detection Logic:
This QID detects vulnerable versions by checking if the version of Microsoft.Crm.Setup.Server.exe is lesser than:
Microsoft Dynamics CRM 2015 (on-premises) version 7.0 - 7.0.3.147
Microsoft Dynamics 365 (on-premises) version 8.2 - 8.2.6.19
Microsoft Dynamics 365 (on-premises) version 9.0 - 9.0.4.5Knowledge base articles:
KB4494412
KB4498363
KB4499386 - Consequence
- An attacker who exploited the vulnerability could send attachment types that are blocked by the email attachment system.
- Solution
-
Customers are advised to refer to CVE-2019-1008 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-1008
These new vulnerability checks are included in Qualys vulnerability signature 2.4.603-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110334
- 91530
- 91528
- 22004
- 91529
- 91533
- 91531
- 91527
- 91526
- 100371
- 100370
- 91532
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.