Microsoft security alert.
August 13, 2019
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 92 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for August 2019
- Severity
- Critical 4
- Qualys ID
- 100381
- Vendor Reference
- KB4511553, KB4511872, KB4512476, KB4512488, KB4512497, KB4512501, KB4512506, KB4512507, KB4512508, KB4512516, KB4512517, KB4512518
- CVE Reference
- CVE-2019-1133, CVE-2019-1192, CVE-2019-1193, CVE-2019-1194
- CVSS Scores
- Base 7.6 / Temporal 5.6
- Description
-
Microsoft releases the security update for Internet Explorer August 2019
The KB Articles associated with the update:
KB4511553
KB4512507
KB4512501
KB4512516
KB4512517
KB4512488
KB4512476
KB4511872
KB4512508
KB4512518
KB4512506
KB4512497
QID Detection Logic:This QID checks for the file version of Mshtml.dll
The following versions of Mshtml.dll with their corresponding KBs are verified:
KB4511553 - 11.0.17763.678
KB4512507 - 11.0.15063.1987
KB4512501 - 11.0.17134.950
KB4512516 - 11.0.16299.1331
KB4512517 - 11.0.14393.3143
KB4512488 - 11.0.9600.19431
KB4512476 - 9.0.8112.21366
KB4511872 - 11.0.9600.19431 , 9.0.8112.21366 , 10.0.9200.22825
KB4512508 - 11.0.18362.295
KB4512518 - 10.0.9200.22825
KB4512506 - 11.0.9600.19431
KB4512497 - 11.0.10240.18303
- Consequence
- An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2019
- Severity
- Critical 4
- Qualys ID
- 110337
- Vendor Reference
- KB4462137, KB4462216, KB4464599, KB4475506, KB4475528, KB4475530, KB4475531, KB4475533, KB4475534, KB4475538, KB4475540, KB4475547, KB4475549, KB4475553, KB4475555, KB4475557, KB4475563, KB4475565, KB4475573, KB4475575
- CVE Reference
- CVE-2019-1155, CVE-2019-1199, CVE-2019-1200, CVE-2019-1201, CVE-2019-1202, CVE-2019-1203, CVE-2019-1204, CVE-2019-1205
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released August 2019 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4464599
KB4475538
KB4475506
KB4475553
KB4475563
KB4475573
KB4475563
KB4462216
KB4475534
KB4475531
KB4475530
KB4475540
KB4475547
KB4475533
KB4475549
KB4462137
KB4475555
KB4475528
KB4475565
KB4475575
KB4475557QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
- Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2019
-
Microsoft Edge Security Update for August 2019
- Severity
- Critical 4
- Qualys ID
- 91558
- Vendor Reference
- KB4511553, KB4512497, KB4512501, KB4512507, KB4512508, KB4512516, KB4512517
- CVE Reference
- CVE-2019-1030, CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1141, CVE-2019-1192, CVE-2019-1193, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197
- CVSS Scores
- Base 7.6 / Temporal 5.6
- Description
-
Microsoft releases the security update for Microsoft Edge August 2019
The KB Articles associated with the update:
KB4511553
KB4512497
KB4512507
KB4512508
KB4512516
KB4512517
KB4512501
QID Detection Logic:This QID checks for the file version of edgehtml.dll
The following versions of edgehtml.dll with their corresponding KBs are verified:
KB4511553 - 11.0.17763.678
KB4512497 - 11.0.10240.18303
KB4512507 - 11.0.15063.1987
KB4512508 - 11.0.18362.295
KB4512516 - 11.0.16299.1331
KB4512517 - 11.0.14393.3143
KB4512501 - 11.0.17134.950
- Consequence
- An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Defender Elevation of Privilege Vulnerability August 2019
- Severity
- Serious 3
- Qualys ID
- 91559
- Vendor Reference
- CVE-2019-1161
- CVE Reference
- CVE-2019-1161
- CVSS Scores
- Base 6.6 / Temporal 4.9
- Description
-
An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations.
Affected Software:
MpSigStub.exe version prior to 1.1.16200.1 running on Microsoft Forefront Endpoint Protection 2010, Microsoft Endpoint Protection, Microsoft Security Essentials and Windows DefenderQID Detection Logic (Authenticated):
The authenticated check looks for the version of "MpSigStub.exe" file. - Consequence
- Successful exploitation allows an attacker to elevate the privileges and delete protected files on an affected system.
- Solution
-
Users are advised to check CVE-2019-1161 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-1161
-
Microsoft Windows Security Update for August 2019
- Severity
- Urgent 5
- Qualys ID
- 91560
- Vendor Reference
- KB4511553, KB4512476, KB4512482, KB4512486, KB4512488, KB4512489, KB4512491, KB4512497, KB4512501, KB4512506, KB4512507, KB4512508, KB4512516, KB4512517, KB4512518
- CVE Reference
- CVE-2019-0714, CVE-2019-0715, CVE-2019-0716, CVE-2019-0717, CVE-2019-0718, CVE-2019-0720, CVE-2019-0723, CVE-2019-0736, CVE-2019-0965, CVE-2019-1057, CVE-2019-1078, CVE-2019-1143, CVE-2019-1144, CVE-2019-1145, CVE-2019-1146, CVE-2019-1147, CVE-2019-1148, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152, CVE-2019-1153, CVE-2019-1154, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157, CVE-2019-1158, CVE-2019-1159, CVE-2019-1161, CVE-2019-1162, CVE-2019-1163, CVE-2019-1164, CVE-2019-1168, CVE-2019-1169, CVE-2019-1170, CVE-2019-1171, CVE-2019-1172, CVE-2019-1173, CVE-2019-1174, CVE-2019-1175, CVE-2019-1176, CVE-2019-1177, CVE-2019-1178, CVE-2019-1179, CVE-2019-1180, CVE-2019-1183, CVE-2019-1184, CVE-2019-1185, CVE-2019-1186, CVE-2019-1187, CVE-2019-1188, CVE-2019-1190, CVE-2019-1198, CVE-2019-1206, CVE-2019-1212, CVE-2019-1213, CVE-2019-1227, CVE-2019-1228, CVE-2019-9506, CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft releases the security update for Windows August 2019
The KB Articles associated with the update:
KB4511553
KB4512476
KB4512482
KB4512486
KB4512488
KB4512489
KB4512491
KB4512497
KB4512501
KB4512506
KB4512507
KB4512508
KB4512516
KB4512517
KB4512518
QID Detection Logic:This QID checks for the file version of ntoskrnl.exe
- Consequence
- An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Dynamics 365 Security Update for August 2019
- Severity
- Serious 3
- Qualys ID
- 91561
- Vendor Reference
- CVE-2019-1229
- CVE Reference
- CVE-2019-1229
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
An elevation of privilege vulnerability exists in Dynamics On-Premise v9. To exploit this vulnerability, an attacker needs to have credentials for a user that has permission to author customized business rules in Dynamics, and persist XAML script in a way that causes it to be interpreted as code.
The update addresses the vulnerability by restricting XAML activities to a whitelisted set.
Affected Versions:
Microsoft Dynamics 365 (on-premises) version 9.0QID Detection Logic:
This authenticated QID flags vulnerable systems by detecting Microsoft.Crm.Setup.Server.exe versions lesser than 9.0.7.8 - Consequence
-
Successful exploitation of this vulnerability could allow a customizer privilege within Dynamics to gain control of the Web Role hosting the Dynamics installation.
- Solution
-
Customers are advised to refer to CVE-2019-1229 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-1229
-
Microsoft Visual Studio Security Update for August 2019
- Severity
- Serious 3
- Qualys ID
- 91562
- Vendor Reference
- CVE-2019-1211
- CVE Reference
- CVE-2019-1211
- CVSS Scores
- Base 3.7 / Temporal 2.7
- Description
-
Microsoft Visual Studio contains the following vulnerabilities:
CVE-2019-1211: An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files.Affected Software:
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.2QID Detection Logic:
This QID detects vulnerable versions of Microsoft Visual Studio by reviewing the file version of devenv.exe on all instances of Visual Studio. - Consequence
- An attacker who successfully exploited the vulnerability could execute code in the context of another local user.
- Solution
-
Customers are advised to refer to CVE-2019-1211 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2019-1211
-
Microsoft Windows Security Update for Remote Desktop Service August 2019 (Seven Monkeys)
- Severity
- Urgent 5
- Qualys ID
- 91563
- Vendor Reference
- KB4511553, KB4512482, KB4512486, KB4512488, KB4512489, KB4512497, KB4512501, KB4512506, KB4512507, KB4512508, KB4512516, KB4512517, KB4512518
- CVE Reference
- CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft has patched four different Critical vulnerabilities in Remote Desktop Services: CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226. All of them can be exploited without authentication or user interaction. According to Microsoft, at least two of these (CVE-2019-1181 and CVE-2019-1182) can be considered "wormable" and equates them to BlueKeep. It is highly likely that at least one of these vulnerabilities will be quickly weaponized, and patching should be prioritized for all Windows systems.
The KB Articles associated with the update:
KB4511553
KB4512482
KB4512486
KB4512488
KB4512489
KB4512497
KB4512501
KB4512506
KB4512507
KB4512508
KB4512516
KB4512517
KB4512518
Affected Versions:
The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.Note : Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, nor is the Remote Desktop Protocol (RDP) itself affected.
QID Detection Logic:
This QID checks for the file version of rdpcorets.dll and rdpbase.dll as detailed below:
The following versions of rdpcorets.dll with their corresponding KBs are verified:
KB4512506 - 6.2.9200.22828
KB4512486 - 6.2.9200.22828
KB4512488 - 6.3.9600.19422
KB4512517 - 10.0.14393.3143
KB4512518 - 6.2.9200.22822
KB4512482 - 6.2.9200.22822
KB4512489 - 6.3.9600.19422
KB4512497 - 10.0.10240.18303
The following versions of rdpbase.dll with their corresponding KBs are verified:
KB4511553 - 10.0.17763.678
KB4512501 - 10.0.17134.950
KB4512516 - 10.0.16299.1331
KB4512507 - 10.0.15063.1987
KB4512508 - 10.0.18362.295
Note: On Windows 7 SP1 and Windows 2008 R2 SP1 with RDP 8.1, file version of "mstscax.dll" is used to detect the vulnerabilities. - Consequence
- An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
These new vulnerability checks are included in Qualys vulnerability signature 2.4.675-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100381
- 110337
- 91558
- 91559
- 91560
- 91561
- 91562
- 91563
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.