Microsoft security alert.
March 10, 2020
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 112 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for March 2020
- Severity
- Urgent 5
- Qualys ID
- 100402
- Vendor Reference
- 4538461, 4540670, 4540673, 4540681, 4540688, 4540689, 4540693, 4541506, 4541509, 4541510, KB4540671
- CVE Reference
- CVE-2020-0768, CVE-2020-0824, CVE-2020-0830, CVE-2020-0832, CVE-2020-0833, CVE-2020-0847
- CVSS Scores
- Base 7.6 / Temporal 5.6
- Description
-
Microsoft releases the security update for Internet Explorer March 2020
The KB Articles associated with the update:
KB4541506
KB4541510
KB4540681
KB4540689
KB4540670
KB4538461
KB4541509
KB4540673
KB4540688
KB4540693
KB4540671
QID Detection Logic:This QID checks for the file version of Mshtml.dll
The following versions of Mshtml.dll with their corresponding KBs are verified:
KB4541506 - 9.0.8112.21422
KB4541510 - 10.0.9200.22975
KB4540681 - 11.0.16299.1747
KB4540689 - 11.0.17134.1365
KB4540670 - 11.0.14393.3564
KB4541509 - 11.0.9600.19650
KB4540688 - 11.0.9600.19650
KB4540693 - 11.0.10240.18519
- Consequence
- An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update March 2020 and ADV200004
- Severity
- Critical 4
- Qualys ID
- 110345
- Vendor Reference
- ADV200004, KB4475602, KB4484231, KB4484240, KB4484268, KB4484270
- CVE Reference
- CVE-2020-0795, CVE-2020-0850, CVE-2020-0851, CVE-2020-0852, CVE-2020-0855, CVE-2020-0892
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released March 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4484240
KB4484231
KB4484268
KB4484270
KB4475602QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.NOTE: Microsoft released ADV200004 in April 2020 for which the fix was included in March updates.
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update March 2020
-
Microsoft SharePoint Foundation and SharePoint Server Update March 2020
- Severity
- Critical 4
- Qualys ID
- 110346
- Vendor Reference
- KB4475597, KB4475606, KB4484124, KB4484150, KB4484197, KB4484242, KB4484271, KB4484272, KB4484275, KB4484277, KB4484282
- CVE Reference
- CVE-2020-0795, CVE-2020-0850, CVE-2020-0852, CVE-2020-0891, CVE-2020-0892, CVE-2020-0893, CVE-2020-0894
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft has released March 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4484272
KB4484275
KB4484271
KB4475606
KB4484150
KB4484197
KB4484277
KB4484124
KB4484282
KB4484242
KB4475597QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft SharePoint Foundation and SharePoint Server March 2020
-
Microsoft Exchange Server Security Update for March 2020
- Severity
- Serious 3
- Qualys ID
- 50099
- Vendor Reference
- CVE-2020-0903
- CVE Reference
- CVE-2020-0903
- CVSS Scores
- Base 3.5 / Temporal 2.6
- Description
-
A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected server.
The security update addresses the vulnerability by helping to ensure that Exchange Server properly sanitizes web requests.
Affected Software:
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2019 Cumulative Update 4KB articles covered: 4540123.
QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe if it is lesser than:
The version for Microsoft Exchange Server 2016 Cumulative Update 14 is 15.1.1847.10
The version for Microsoft Exchange Server 2016 Cumulative Update 15 is 15.1.1913.10
The version for Microsoft Exchange Server 2019 Cumulative Update 3 is 15.2.464.14
The version for Microsoft Exchange Server 2019 Cumulative Update 4 is 15.2.529.11 - Consequence
-
Successful exploitation allows an authenticated, remote attacker to perform cross-site scripting attacks on affected systems and run script in the security context of the current user.
- Solution
-
Customers are advised to refer to CVE-2020-0903 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4540123
-
Microsoft Team Foundation Server Update for March 2020
- Severity
- Serious 3
- Qualys ID
- 91607
- Vendor Reference
- CVE-2020-0700, CVE-2020-0758, CVE-2020-0815
- CVE Reference
- CVE-2020-0700, CVE-2020-0758, CVE-2020-0815
- CVSS Scores
- Base 6 / Temporal 4.4
- Description
-
The Microsoft Team Foundation Server update for March 2020 remediates the following vulnerabilities:
CVE-2020-0700: A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server does not properly sanitize user provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page. The security update addresses the vulnerability by ensuring that Azure DevOps Server sanitizes user inputs.
CVE-2020-0758, CVE-2020-0815: An elevation of privilege vulnerability exists when Azure DevOps Server and Team Foundation Services improperly handle pipeline job tokens. An attacker who successfully exploited this vulnerability could extend their access to a project. The update addresses the vulnerability by correcting how the Azure DevOps Server and Team Foundation Services updater handles these tokens.Affected Software:
Azure DevOps Server 2019.0.1
Azure DevOps Server 2019 Update 1
Azure DevOps Server 2019 Update 1.1
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2QID Detection Logic:
This authenticated QID locates file versions via the HKLM\Software\Microsoft\TeamFoundationServer registry key. The following files are checked:
- Consequence
-
Depending on the vulnerability being exploited, an authenticated, remote attacker could perform cross-site scripting attacks on affected systems and run script in the security context of the current user or could elevate their privileges on a project.
- Solution
-
Customers are advised to refer to March 2020 Security Release for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Azure DevOps Server 2019 Update 1
Azure DevOps Server 2019 Update 1.1
Azure DevOps Server 2019.0.1
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2
-
Microsoft Windows Security Update for March 2020
- Severity
- Urgent 5
- Qualys ID
- 91609
- Vendor Reference
- KB4538461, KB4540670, KB4540673, KB4540681, KB4540688, KB4540689, KB4540693, KB4540694, KB4541500, KB4541504, KB4541505, KB4541506, KB4541509, KB4541510
- CVE Reference
- CVE-2020-0645, CVE-2020-0684, CVE-2020-0690, CVE-2020-0762, CVE-2020-0763, CVE-2020-0769, CVE-2020-0770, CVE-2020-0771, CVE-2020-0772, CVE-2020-0773, CVE-2020-0774, CVE-2020-0775, CVE-2020-0776, CVE-2020-0777, CVE-2020-0778, CVE-2020-0779, CVE-2020-0780, CVE-2020-0781, CVE-2020-0783, CVE-2020-0785, CVE-2020-0786, CVE-2020-0787, CVE-2020-0788, CVE-2020-0791, CVE-2020-0793, CVE-2020-0797, CVE-2020-0798, CVE-2020-0799, CVE-2020-0800, CVE-2020-0801, CVE-2020-0802, CVE-2020-0803, CVE-2020-0804, CVE-2020-0806, CVE-2020-0807, CVE-2020-0808, CVE-2020-0809, CVE-2020-0810, CVE-2020-0814, CVE-2020-0819, CVE-2020-0820, CVE-2020-0822, CVE-2020-0832, CVE-2020-0834, CVE-2020-0840, CVE-2020-0841, CVE-2020-0842, CVE-2020-0843, CVE-2020-0844, CVE-2020-0845, CVE-2020-0847, CVE-2020-0849, CVE-2020-0853, CVE-2020-0854, CVE-2020-0857, CVE-2020-0858, CVE-2020-0859, CVE-2020-0860, CVE-2020-0861, CVE-2020-0863, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866, CVE-2020-0867, CVE-2020-0868, CVE-2020-0869, CVE-2020-0871, CVE-2020-0874, CVE-2020-0876, CVE-2020-0877, CVE-2020-0879, CVE-2020-0880, CVE-2020-0881, CVE-2020-0882, CVE-2020-0883, CVE-2020-0885, CVE-2020-0887, CVE-2020-0896, CVE-2020-0897, CVE-2020-0898
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft releases the security update for Windows March 2020
The KB Articles associated with the update:
KB4538461
KB4540694
KB4541505
KB4540693
KB4540673
KB4541504
KB4541500
KB4540689
KB4541510
KB4541506
KB4540688
KB4541509
KB4540681
KB4540670
QID Detection Logic:
This QID checks for the file version of ntoskrnl.exe
The following versions of "ntoskrnl.exe" with their corresponding KBs are verified:
KB4538461 - 10.0.17763.1098
KB4540694 - 6.2.9200.23009
KB4541505 - 6.3.9600.19665
KB4540693 - 10.0.10240.18519
KB4540673 - 10.0.18362.719
KB4541504 - 6.0.6003.20749
KB4541500 - 6.1.7601.24549
KB4540689 - 10.0.17134.1365
KB4541510 - 6.2.9200.23009
KB4541506 - 6.0.6003.20749
KB4540688 - 6.1.7601.24549
KB4541509 - 6.3.9600.19665
KB4540681 - 10.0.16299.1747
KB4540670 - 10.0.14393.3564
- Consequence
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Windows Servicing Stack Security Update March 2020
- Severity
- Medium 2
- Qualys ID
- 91610
- Vendor Reference
- ADV990001
- CVE Reference
- N/A
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Microsoft has released Servicing Stack security updates for Windows 2008, Windows 7, Windows 2008 R2, Windows 10 1903, and Windows 10 1909.
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll - Consequence
-
Successful exploitation may allow unauthorized disclosure of information, unauthorized modification or disruption of service.
- Solution
-
Customers are advised to refer to advisory ADV990001 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV990001
-
Microsoft Visual Studio Security Update for March 2020
- Severity
- Critical 4
- Qualys ID
- 91611
- Vendor Reference
- CVE-2020-0789, CVE-2020-0793, CVE-2020-0810, CVE-2020-0884
- CVE Reference
- CVE-2020-0789, CVE-2020-0793, CVE-2020-0810, CVE-2020-0884
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
A denial of service vulnerability exists when the Visual Studio Extension Installer Service improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.
An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges.
An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file creation in arbitrary locations.
A spoofing vulnerability exists in Microsoft Visual Studio as it includes a reply URL that is not secured by SSL. An attacker who successfully exploited this vulnerability could compromise the access tokens, exposing security and privacy risks.Affected Software:
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017 Version 15.9 (includes 15.1 - 15.8)
Microsoft Visual Studio 2019 Version 16.0
Microsoft Visual Studio 2019 Version 16.3 (includes 16.0 - 16.3)QID Detection Logic:Authenticated
This QID detects vulnerable versions of Microsoft Visual Studio by checking file version of devenv.exe. - Consequence
- Successful exploitation allows attacker to compromise the system.
- Solution
-
Customers are advised to refer to CVE-2020-0789 CVE-2020-0793 CVE-2020-0810 CVE-2020-0884 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Visual Studio March 2020
-
Microsoft Edge Security Update for March 2020
- Severity
- Critical 4
- Qualys ID
- 91613
- Vendor Reference
- 4538461, 4540670, 4540673, 4540681, 4540689, 4540693
- CVE Reference
- CVE-2020-0768, CVE-2020-0811, CVE-2020-0812, CVE-2020-0813, CVE-2020-0816, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0848
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft releases the security update for Microsoft Edge March 2020
The KB Articles associated with the update:
KB4540689
KB4538461
KB4540673
KB4540681
KB4540693
KB4540670QID Detection Logic:
This QID checks for the file version of edgehtml.dll to find the vulnerable version of the product. - Consequence
- An attacker who successfully exploited the vulnerability could lead to Remote code execution and Memory Corruption.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guidehttps://portal.msrc.microsoft.com/en-us/security-guidance
-
Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)
- Severity
- Urgent 5
- Qualys ID
- 91614
- Vendor Reference
- ADV200005, CVE-2020-0796
- CVE Reference
- CVE-2020-0796
- CVSS Scores
- Base 7.5 / Temporal 6.2
- Description
-
A remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target.
Affected Operating System:
Windows 10 Version 1903
Windows 10 Version 1909
Windows Server 1903 (Server Core installation)
Windows Server 1909 (Server Core installation)QID Detection Logic:Authenticated
This QID checks for smb v3 enabled and workaround registry key, "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameter" DisableCompression -Type DWORD -Value 1 - Consequence
- Successful exploitation allows attacker to execute remote code.
- Solution
-
Microsoft provided workaround to disable SMBv3 Compression.
Workaround:
Disable SMBv3 compression:
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -ForcePatches:
The following are links for downloading patches to fix these vulnerabilities:
KB4551762
These new vulnerability checks are included in Qualys vulnerability signature 2.4.837-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100402
- 110345
- 110346
- 50099
- 91607
- 91609
- 91610
- 91611
- 91613
- 91614
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.