Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0049
Microsoft multiple product updates
13 February 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
Visual Studio Code
ChakraCore
Java SDK for Azure IoT
Microsoft Visual Studio
Team Foundation Server
.Net Core
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Administrator Compromise -- Existing Account
Access Privileged Data -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-0676 CVE-2019-0662 CVE-2019-0660
CVE-2019-0659 CVE-2019-0658 CVE-2019-0657
CVE-2019-0656 CVE-2019-0655 CVE-2019-0654
CVE-2019-0652 CVE-2019-0651 CVE-2019-0650
CVE-2019-0649 CVE-2019-0645 CVE-2019-0644
CVE-2019-0642 CVE-2019-0641 CVE-2019-0640
CVE-2019-0637 CVE-2019-0636 CVE-2019-0635
CVE-2019-0634 CVE-2019-0633 CVE-2019-0632
CVE-2019-0631 CVE-2019-0630 CVE-2019-0628
CVE-2019-0627 CVE-2019-0626 CVE-2019-0625
CVE-2019-0623 CVE-2019-0621 CVE-2019-0619
CVE-2019-0618 CVE-2019-0616 CVE-2019-0615
CVE-2019-0613 CVE-2019-0610 CVE-2019-0607
CVE-2019-0606 CVE-2019-0605 CVE-2019-0602
CVE-2019-0601 CVE-2019-0600 CVE-2019-0599
CVE-2019-0598 CVE-2019-0597 CVE-2019-0596
CVE-2019-0595 CVE-2019-0593 CVE-2019-0591
CVE-2019-0590
Member content until: Friday, March 15 2019
OVERVIEW
Microsoft has released its monthly security patch update for the month of February 2019.
This update resolves 21 vulnerabilities across the following products: [1]
.NET Core 1.0
.NET Core 1.1
.NET Core 2.1
.NET Core 2.2
ChakraCore
Java SDK for Azure IoT
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.7.1/4.7.2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 version 15.9
Team Foundation Server 2018 Update 3.2
Visual Studio Code
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
Remote Code Execution Critical
Remote Code Execution Critical
Remote Code Execution Critical
Remote Code Execution Critical
Remote Code Execution Critical
Remote Code Execution Important
Remote Code Execution Important
Remote Code Execution Critical
Remote Code Execution Critical
Remote Code Execution Critical
Elevation of Privilege Important
Remote Code Execution Critical
Remote Code Execution Critical
Remote Code Execution Critical
Spoofing Important
Information Disclosure Important
Remote Code Execution Important
Elevation of Privilege Important
Information Disclosure Important
Spoofing Important
Spoofing Important
MITIGATION
Microsoft recommends updating the software with the version made available on the Microsoft Update Cataloge for the following Knowledge Base articles. [1].
KB4483482, KB4486996, KB4483481, KB4483484, KB4487020
KB4487026, KB4483449, KB4483468, KB4483469, KB4483483
KB4483474, KB4487018, KB4483473, KB4487017, KB4483454
KB4483451, KB4483450, KB4483453, KB4483452, KB4483455
KB4483472, KB4483457, KB4483456, KB4483459, KB4483458
KB4483470
REFERENCES
[1] Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXGN9GmaOgq3Tt24GAQg9aw/5AVHi0So59R0VsvK3tYzxAACJTjDxGAGR
fQcJkZWWDyk2sEP/eV2OtUgV7HKiXM3x7RYgZ/nsBKAnzfPlQ4JAK2db3eyDMwyj
x34JAIG4NvXhJU+UteywW4zZCA8meoLllTxOFGm3Scq+HaUmmJs9aECmnzdmreZh
5O4AmMsSWoBToNOzJGW+0Q57fR4qTenrPVqZ4DpSbvodF5JszubladWJnBALMyor
Chfj/XeevVkfgUNOU3y7oE6kmF+cReb5SVmWPRw5SNwZ5y8bdzwElIGPQKfxoiuU
Jf0jJPuyWuCFYBWDKaUQOG+fkYpay/m3JhiryjckQYv+FNPHV+irV4ngfvSSnZW8
bqUl1KcX8Qh+IAnC3o/3nNkmqQSLLaICnj3WtV2UZC4WwlZ7dWsbkaE/gi2yI8q+
dOuk9JAPhYIGyn83P/JjY4OrFO0K5rlTqyHI8d4cmZtfhl7hHUlE5KSDxJYcJhak
X+oUB2wZd0sny+8wgZs9Zj/INGrIAwpg61LRYpMvd57siGvIIumjVjLimVWYS4UK
HnATdSJGIFdGaB33Ic6gkiz5a2V3in9Frk3KQCjumlL/UAArOCTxu/xj24zo2YF9
Le6UkK2Es7RXA9kTMu0QQ5S9kamiCdGM4umbggQC5zvmW1vAJUANk2czzGRZDE36
a0FWTgCl+rk=
=Y/8J
-----END PGP SIGNATURE-----