Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0069 Development Tools 13 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Development Tools Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Modify Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-0809 CVE-2019-0777 CVE-2019-0773 CVE-2019-0771 CVE-2019-0769 CVE-2019-0757 CVE-2019-0746 CVE-2019-0743 CVE-2019-0742 CVE-2019-0741 CVE-2019-0729 CVE-2019-0728 CVE-2019-0658 CVE-2019-0657 CVE-2019-0655 CVE-2019-0652 CVE-2019-0651 CVE-2019-0649 CVE-2019-0644 CVE-2019-0642 CVE-2019-0640 CVE-2019-0639 CVE-2019-0632 CVE-2019-0631 CVE-2019-0627 CVE-2019-0613 CVE-2019-0611 CVE-2019-0610 CVE-2019-0609 CVE-2019-0607 CVE-2019-0605 CVE-2019-0593 CVE-2019-0592 CVE-2019-0591 CVE-2019-0590 Member content until: Friday, April 12 2019 Reference: ASB-2019.0054 ASB-2019.0051 ASB-2019.0049 ESB-2019.0476 OVERVIEW Microsoft has released its monthly security patch update for the month of March 2019. This update resolves 35 vulnerabilities across the following products: [1] .NET Core 1.0 .NET Core 2.1 .NET Core 2.2 .NET Core SDK 1.1 .NET Core SDK 2.1.500 ChakraCore Java SDK for Azure IoT Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.7.1/4.7.2 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.7/4.7.1/4.7.2 Microsoft Visual Studio 2017 Microsoft Visual Studio 2017 version 15.9 Mono Framework Version 5.18.0.223 Mono Framework Version 5.20.0 Nuget 4.3.1 Nuget 4.4.2 Nuget 4.5.2 Nuget 4.6.3 Nuget 4.7.2 Nuget 4.8.2 Nuget 4.9.4 PowerShell Core 6.1 PowerShell Core 6.2 Team Foundation Server 2017 Update 3.1 Team Foundation Server 2018 Update 3.2 Team Foundation Server 2018 Updated 1.2 Visual Studio Code Visual Studio for Mac IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2019-0590 Remote Code Execution Critical CVE-2019-0591 Remote Code Execution Critical CVE-2019-0592 Elevation of Privilege Critical CVE-2019-0593 Remote Code Execution Critical CVE-2019-0605 Remote Code Execution Critical CVE-2019-0607 Remote Code Execution Critical CVE-2019-0609 Remote Code Execution Critical CVE-2019-0610 Remote Code Execution Important CVE-2019-0611 Information Disclosure Important CVE-2019-0613 Remote Code Execution Important CVE-2019-0627 Security Feature Bypass Important CVE-2019-0631 Security Feature Bypass Important CVE-2019-0632 Security Feature Bypass Important CVE-2019-0639 Remote Code Execution Critical CVE-2019-0640 Remote Code Execution Critical CVE-2019-0642 Remote Code Execution Critical CVE-2019-0644 Remote Code Execution Critical CVE-2019-0649 Elevation of Privilege Important CVE-2019-0651 Remote Code Execution Critical CVE-2019-0652 Remote Code Execution Critical CVE-2019-0655 Remote Code Execution Critical CVE-2019-0657 Spoofing Important CVE-2019-0658 Information Disclosure Important CVE-2019-0728 Remote Code Execution Important CVE-2019-0729 Elevation of Privilege Important CVE-2019-0741 Information Disclosure Important CVE-2019-0742 Spoofing Important CVE-2019-0743 Spoofing Important CVE-2019-0746 Remote Code Execution Important CVE-2019-0757 Tampering Important CVE-2019-0769 Remote Code Execution Critical CVE-2019-0771 Remote Code Execution Critical CVE-2019-0773 Remote Code Execution Critical CVE-2019-0777 Spoofing Low CVE-2019-0809 Remote Code Execution Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Cataloge for the following Knowledge Base articles. [1]. KB4483482, KB4486996, KB4483481, KB4483484, KB4487020 KB4487026, KB4483449, KB4483468, KB4483469, KB4483483 KB4483452, KB4487018, KB4483473, KB4487017, KB4483454 KB4483451, KB4483450, KB4483453, KB4483474, KB4483455 KB4483472, KB4483457, KB4483470, KB4483459, KB4483458 KB4483456 REFERENCES [1] Security Update Guide https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXIhE8maOgq3Tt24GAQj2Jw/8D2p1RQIm2fHn8dw/fH2SxpauvDLHzgm8 S/+WKx+4GHk7+fyiloQ8QEthBdB/EB/hYv56gVbp0ABpU14Th+QowxdkJt+BDo47 HrG3vhkQqCVU1C0R0Ui/CtMB4sK1G2NvULjMAi9axJevQhptxGAuYfzS+sTVaT5I RvgGOVRRKxMpVitUp3Zku1sBfzZyB7kSagv4LoVRPzgPgNKFKNb6H7jqTJqgfQRi LqN4+6jNM9y8kpoyXxRI3snCkcYkAEnDHEF/tSqdTn0NviJ9SbddNIZYiCrYiHAH t52nUcN7Nxld7kSSCpKJDiZMgUTG6DqBPIya5vp0yhLTrYvZjer4qRDytmVppiAn yvvjZg/NLIIc8nfyFJSqqhNN0bfiBflcm9nKQuUGz7mBWVTWIJ1E5ISLrNJpKYmS LIFIDRNs88FVotVtJhZmByz/Q/oyPreok5OSVF7PlI59d2Y0rmapoI/0mTU9uGWa fSugzZ5asESn5Ov6KnAWmtHz1S6u/asAbTcn5bziHIbrocLaTzvIYc8JvPQ2kh5P U68DvXDWTtIHl5mnqcJGPu/yM3t9sR5kO6DWwxrpWHSj58PMm5rFg6C0iXdVYayo 6Y3S6FcH1iGBQKPJSc66Gscua10zOSQI5sf/iyggfDfuPyCtMsc+iT3SkEjMl4Bm oOXhKkysQFE= =7kk2 -----END PGP SIGNATURE-----