Компания Microsoft выпустила обновления безопасности для следующих продуктов: Windows, Windows Server, Microsoft Edge, Internet Explorer, Office, SharePoint Server, SQL Server, Visual Studio, Team Foundation Server, Azure DevOps Server, Dynamics CRM/365, .NET Framework/.NET Core, ASP.NET Core, Chakra Core и Adobe Flash Player.
Сводная информация по количеству и типу уязвимостей в соответствующих продуктах приведена на графике ниже:
Обратите внимание
На следующие уязвимости и обновления безопасности следует обратить особое внимание:
Windows/Windows Server
CVE-2019-0863 – Windows Error Reporting Elevation of Privilege Vulnerability (Exploitation Detected!)
CVE-2019-0893 – Jet Database Engine Remote Code Execution Vulnerability
CVE-2019-0903 – GDI+ Remote Code Execution Vulnerability
CVE-2019-0725 – Windows DHCP Server Remote Code Execution Vulnerability (No authentication required!)
CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability (Wormable! No authentication or user interaction required)
Windows 7, Windows Server 2008 R2, Windows Server 2008 are affected. Modern operation systems were NOT affected.
Windows XP, Windows Server 2003 updates – KB4500705
Mitigating Factors: Disable Remote Desktop Services if they are not required.
Workarounds: Enable Network Level Authentication (NLS) to block unauthenticated attackers from exploiting this vulnerability.
Microsoft Browsers
CVE-2019-0911 – Scripting Engine Memory Corruption Vulnerability
Microsoft Office
CVE-2019-0953 – Microsoft Word Remote Code Execution Vulnerability
Microsoft SharePoint
CVE-2019-0925 – Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft SQL
CVE-2019-0819 – Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
Microsoft Dynamics
CVE-2019-1008 – Microsoft Dynamics On-Premise Security Feature Bypass
.NET Framework/Core
CVE-2019-0820 – .NET Framework and .NET Core Denial of Service Vulnerability
CVE-2019-0980 – .NET Framework and .NET Core Denial of Service Vulnerability
CVE-2019-0981 – .NET Framework and .NET Core Denial of Service Vulnerability
CVE-2019-0964 – .NET Framework Denial of Service Vulnerability
ASP.NET Core
CVE-2019-0982 – ASP.NET Core Denial of Service Vulnerability
Team Foundation Server/Azure DevOps Server
CVE-2019-0872 – Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
CVE-2019-0971 – Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
CVE-2019-0979 – Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
Visual Studio
CVE-2019-0727 – Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability
Azure Active Directory Connect
CVE-2019-1000 – Microsoft Azure AD Connect Elevation of Privilege Vulnerability
NuGet Package Manager for Linux and Mac
CVE-2019-0976 – NuGet Package Manager Tampering Vulnerability
Рекомендации по безопасности
Были выпущены следующие рекомендательные документы (security advisory):
ADV190012 – May 2019 Adobe Flash Security Update
ADV190013 – Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
On May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling
CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
Были дополнены и обновлены следующие рекомендательные документы:
ADV990001 – Latest Servicing Stack Updates
New Servicing Stack Update for Windows 10, Windows 10 (and Server equivalent) version 1607, v1703, v1709, v1803, v1809, v1903, Server 2016 and 2019