Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0181 Microsoft Development Tools security updates for July 2019 10 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ASP.NET Core Azure DevOps Server Azure IoT Edge ChakraCore Microsoft .NET Framework Microsoft Azure Kubernetes Service Microsoft Visual Studio 2010 Microsoft Visual Studio 2012 Microsoft Visual Studio 2013 Microsoft Visual Studio 2015 Microsoft Visual Studio 2017 Microsoft Visual Studio 2019 Microsoft.IdentityModel Team Foundation Server 2010 Team Foundation Server 2012 Team Foundation Server 2013 Team Foundation Server 2015 Team Foundation Server 2017 Team Foundation Server 2018 Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-1113 CVE-2019-1107 CVE-2019-1106 CVE-2019-1103 CVE-2019-1092 CVE-2019-1083 CVE-2019-1079 CVE-2019-1077 CVE-2019-1076 CVE-2019-1075 CVE-2019-1072 CVE-2019-1062 CVE-2019-1006 CVE-2019-1001 CVE-2018-15664 Member content until: Friday, August 9 2019 OVERVIEW Microsoft has released its monthly security patch update for the month of July 2019. [1] This update resolves 15 vulnerabilities across the following products: ASP.NET Core 2.1 ASP.NET Core 2.2 Azure DevOps Server 2019.0.1 Azure IoT Edge ChakraCore Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5 AND 4.7.2 Microsoft .NET Framework 3.5 AND 4.8 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6/4.6.1/4.6.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.8 Microsoft Azure Kubernetes Service Microsoft Visual Studio 2010 Service Pack 1 Microsoft Visual Studio 2012 Update 5 Microsoft Visual Studio 2013 Update 5 Microsoft Visual Studio 2015 Update 3 Microsoft Visual Studio 2017 Microsoft Visual Studio 2017 version 15.9 Microsoft Visual Studio 2019 version 16.0 Microsoft Visual Studio 2019 version 16.1 Microsoft.IdentityModel 7.0.0 Team Foundation Server 2010 SP1 (x64) Team Foundation Server 2010 SP1 (x86) Team Foundation Server 2012 Update 4 Team Foundation Server 2013 Update 5 Team Foundation Server 2015 Update 4.2 Team Foundation Server 2017 Update 3.1 Team Foundation Server 2018 Update 1.2 Team Foundation Server 2018 Update 3.2 IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2018-15664 Elevation of Privilege Important CVE-2019-1001 Remote Code Execution Critical CVE-2019-1006 Elevation of Privilege Important CVE-2019-1062 Remote Code Execution Critical CVE-2019-1072 Remote Code Execution Critical CVE-2019-1075 Spoofing Moderate CVE-2019-1076 Spoofing Important CVE-2019-1077 Elevation of Privilege Important CVE-2019-1079 Information Disclosure Important CVE-2019-1083 Denial of Service Important CVE-2019-1092 Remote Code Execution Critical CVE-2019-1103 Remote Code Execution Critical CVE-2019-1106 Remote Code Execution Critical CVE-2019-1107 Remote Code Execution Critical CVE-2019-1113 Remote Code Execution Critical MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Cataloge for the following Knowledge Base articles. [1] KB4507423, KB4507422, KB4507421, KB4507420, KB4506161 KB4506163, KB4507460, KB4506164, KB4506991, KB4507450 KB4507455, KB4507458, KB4507435, KB4506162, KB4507419 KB4507414, KB4507412, KB4507413, KB4507411, KB4506987 KB4506986, KB4506989, KB4506988 REFERENCES [1] Security Update Guide https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSUewmaOgq3Tt24GAQhSTQ//UeMQ/4YTDZyL5jxamELJmGnDL4OeuCMY ryFYZ6CTYVGjgsTLTqsVEuG/eca8rWG4KmRWK36qDtT53d8iXiLuo9bFgnH3nKfH 0qatm9FWGC32vFeWXCPkgvUFd57dSKLfBaN4rWZuCe4rFWEmm4RdkCxovxipJejA K5uuYpadxVTZDAvmXDWPMxESAeNHaK0EVwhFMvyttQXZ6/45IZn0uhB1rZ4vQAra IAGB8JRAvnPNM3r6c9dNB68Yw0sSDuIsu0UwHK9SjswQ0eWdaiWQrM0K4nV/q6/y MbQSAgcldaGLAD25T2PHshNNPckQlYRzNgqfw/CdOEaghx9NRIWcAfN1BKeuho+0 ZQQkr5wl10XeUJ18YSPdnk8lOkLk94PrXwdaPjEu2Hc0pPLIuu8qkhXKMKWONNRS mGwgnG2ZJuqe/yf7E8ucrbwcNnz7wHQ0jFxEHvM09y6eZd+P1z1Iti5N8cflKuSs ehKgpdSg02R0a1XKbQxTs6LEGhUoFDAEhrz77sZIKiIj4w/sCVPPeZGvHS7Spakc ecSIPYsw9c7BUlVOJ2MIzPsbz0/aBYfqO9XePG/gmvm8E+Vvp7p4t6y+BmEUag7F pkQn8uhn8WS8+IlNk70ExnmWMtLOGyj7tqp+fW9OzT+OEXhvMCcsyixlMwKu0f73 xwMjjTux4+A= =jOXZ -----END PGP SIGNATURE-----