Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0139 Microsoft Developer Tools security updates 15 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Developer Tools Operating System: Windows Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Delete Arbitrary Files -- Existing Account Cross-site Request Forgery -- Existing Account Cross-site Scripting -- Existing Account Provide Misleading Information -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-1000 CVE-2019-0982 CVE-2019-0981 CVE-2019-0980 CVE-2019-0979 CVE-2019-0976 CVE-2019-0971 CVE-2019-0937 CVE-2019-0933 CVE-2019-0927 CVE-2019-0925 CVE-2019-0924 CVE-2019-0922 CVE-2019-0917 CVE-2019-0916 CVE-2019-0915 CVE-2019-0914 CVE-2019-0913 CVE-2019-0912 CVE-2019-0911 CVE-2019-0872 CVE-2019-0864 CVE-2019-0820 CVE-2019-0727 Member content until: Friday, June 14 2019 Reference: ASB-2019.0137 OVERVIEW Microsoft has released its monthly security patch update for the month of May 2019. This update resolves 24 vulnerabilities across the following products: [1] .NET Core 1.0 .NET Core 1.1 .NET Core 2.1 .NET Core 2.2 ASP.NET Core 2.1 ASP.NET Core 2.2 Azure DevOps Server 2019 ChakraCore Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.7.1/4.7.2 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.8 Microsoft Azure Active Directory Connect Microsoft Visual Studio 2015 Update 3 Microsoft Visual Studio 2017 version 15.0 Microsoft Visual Studio 2017 version 15.9 Microsoft Visual Studio 2019 version 16.0 Nuget 5.0.2 Team Foundation Server 2015 Update 4.2 Team Foundation Server 2017 Update 3.1 Team Foundation Server 2018 Update 1.2 Team Foundation Server 2018 Update 3.2 IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2019-0727 Elevation of Privilege Important CVE-2019-0820 Denial of Service Important CVE-2019-0864 Denial of Service Important CVE-2019-0872 Spoofing Important CVE-2019-0911 Remote Code Execution Critical CVE-2019-0912 Remote Code Execution Critical CVE-2019-0913 Remote Code Execution Critical CVE-2019-0914 Remote Code Execution Critical CVE-2019-0915 Remote Code Execution Critical CVE-2019-0916 Remote Code Execution Critical CVE-2019-0917 Remote Code Execution Critical CVE-2019-0922 Remote Code Execution Critical CVE-2019-0924 Remote Code Execution Critical CVE-2019-0925 Remote Code Execution Critical CVE-2019-0927 Remote Code Execution Critical CVE-2019-0933 Remote Code Execution Critical CVE-2019-0937 Remote Code Execution Critical CVE-2019-0971 Information Disclosure Important CVE-2019-0976 Tampering Important CVE-2019-0979 Spoofing Important CVE-2019-0980 Denial of Service Important CVE-2019-0981 Denial of Service Important CVE-2019-0982 Denial of Service Important CVE-2019-1000 Elevation of Privilege Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB4499179, KB4494440, KB4499154, KB4499409, KB4499408 KB4495611, KB4499405, KB4499407, KB4499406, KB4495610 KB4499167, KB4489639, KB4495613, KB4495616, KB4499181 KB4498964, KB4498961, KB4495620, KB4498963, KB4498962 REFERENCES [1] Microsoft Security Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXNtpamaOgq3Tt24GAQivJQ//TAK3Zt+ybDXC8CVXaqDU+iIE23sZ3/mI v8OCld2Di+Rzpn2O6Na5pkQ1v98lldC1zT35ATgxT+BKKYY4cmYU3ys5/21Kt8AK n70E5U9P5Mp48YzIzpP6jZO15NUrejCr0NP7+UJnttfKavGTQKisDLfgAScwRLwE LNEGRo1+IbzTZhtY9hMBxqMLj24yL2rOkHzTVKtz1scNvoDTa7NQSaiRHzoNnYvT 10ocxmhVnhKoutwf+yGVTfdq8hViS8jPZlPuSk5QpthkBtuO8p5AOk0A2UO8IUx9 8Z3abK3AxCCUug/aX9rx/FbwlvWjMH/JhLAVaRCZFZbqZWmzYkztin0uDCxne0nG uA+z3nTQAtbesi4T+M3LyVU/b20ybYeeeCyvfIrkHYU+vDZO7MvYK8n/dWlfYP18 4R4CnRN6Uy8VKy9eEpxCsJv5BSi0erpUtIeF7Uq+OuSs4lR0Q3D2+cdWw0RYMZbZ gIfwuA4raYGlZUOGb+d2gSSx1S/zkoPJZ7o2rwMdpsSWPbiDWohhLctcQVK6yIch CLeAZ5C+QWjsTkmxoBwZzMSRkmaIiwQOXsii0XvkuTGhifDrkYIbrIDOPYcwGLK2 qxcGaRGVf6L8XuE5679wJHC9J2dkN5J+hDHLxVE44L2LiuNHWmtvixxb+8miiHTv i/c2RgopfnU= =msN5 -----END PGP SIGNATURE-----