Microsoft 14 maja 2019 roku wydał nowy pakiet aktualizacji bezpieczeństwa w ramach comiesięcznego Patch Tuesday. Wydano łącznie 79 poprawki bezpieczeństwa, w tym 23 poprawek oznaczonych jako krytyczne.

Aktualizacje naprawiają luki m.in. w:

  • .NET Core
  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Graphics Component
  • Microsoft JET Database Engine
  • Microsoft Office
  • Microsoft Office SharePoint
  • Microsoft Scripting Engine
  • Microsoft Windows
  • Windows DHCP Server
  • Windows RDP

Najistotniejszymi podatnościami, które zostały naprawione są:

CVE-2019-0863w sposobie, w jakim raportowanie błędów systemu Windows (WER) obsługuje pliki, występuje podatność umożliwiająca podniesienie uprawnień. Atakujący, któremu uda się wykorzystać tę lukę, może uruchomić dowolny kod w jądrze. Umożliwia to instalację programów, przeglądanie/zmianę/usuwanie danych lub tworzenie nowych kont z uprawnieniami administratora.

CVE-2019-0932 – w Skype dla Androida istnieje podatność umożliwiająca ujawnienie informacji. Atakujący, który wykorzysta tę lukę, może podsłuchiwać rozmowy bez wiedzy użytkowników.

CVE-2019-0708 – podatność dotycząca zdalnego wykonania kodu w usłudze zdalnego pulpitu Windows. Nieuwierzytelniony atakujący może wykorzystać tę lukę, wysyłając spreparowane pakiety do zagrożonej usługi, a następnie wykonując dowolny kod w systemie docelowym.

Poniżej przedstawiamy szczegółowe zestawienie aktualizacji:

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Denial of Service Vulnerability
CVE-2019-0864 No No Less Likely Less Likely Important
.NET Framework and .NET Core Denial of Service Vulnerability
CVE-2019-0820 No No Less Likely Less Likely Important
.Net Framework and .Net Core Denial of Service Vulnerability
CVE-2019-0980 No No Less Likely Less Likely Important
CVE-2019-0981 No No Less Likely Less Likely Important
ASP.NET Core Denial of Service Vulnerability
CVE-2019-0982 No No Less Likely Less Likely Important
Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
CVE-2019-0872 No No Less Likely Less Likely Important
CVE-2019-0979 No No Important
Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
CVE-2019-0971 No No Less Likely Less Likely Important
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-0912 No No Critical 4.2 3.8
CVE-2019-0913 No No Critical 4.2 3.8
CVE-2019-0914 No No Critical 4.2 3.8
CVE-2019-0915 No No Critical 4.2 3.8
CVE-2019-0916 No No Critical 4.2 3.8
CVE-2019-0917 No No Critical 4.2 3.8
CVE-2019-0922 No No Critical 4.2 3.8
CVE-2019-0923 No No Important 4.2 3.8
CVE-2019-0924 No No Critical 4.2 3.8
CVE-2019-0925 No No Critical 4.2 3.8
CVE-2019-0927 No No Critical 4.2 3.8
CVE-2019-0933 No No Critical 4.2 3.8
CVE-2019-0937 No No Critical 4.2 3.8
Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability
CVE-2019-0727 No No Less Likely Less Likely Important 6.7 6.0
GDI+ Remote Code Execution Vulnerability
CVE-2019-0903 No No More Likely More Likely Critical 8.8 7.9
Internet Explorer Information Disclosure Vulnerability
CVE-2019-0930 No No More Likely More Likely Important 2.4 2.2
Internet Explorer Memory Corruption Vulnerability
CVE-2019-0929 No No Critical 7.5 6.7
Internet Explorer Security Feature Bypass Vulnerability
CVE-2019-0995 No No Important 7.3 6.6
Internet Explorer Spoofing Vulnerability
CVE-2019-0921 No No Less Likely Less Likely Important 2.4 2.2
Jet Database Engine Remote Code Execution Vulnerability
CVE-2019-0893 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0894 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0895 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0896 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0897 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0898 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0899 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0900 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0901 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0902 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0889 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0890 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0891 No No Less Likely Less Likely Important 7.8 7.0
Latest Servicing Stack Updates
ADV990001 No No Critical
May 2019 Adobe Flash Security Update
ADV190012 No No Critical
Microsoft Azure AD Connect Elevation of Privilege Vulnerability
CVE-2019-1000 No No Less Likely Less Likely Important
Microsoft Browser Memory Corruption Vulnerability
CVE-2019-0940 No No More Likely More Likely Critical 7.5 6.7
Microsoft Dynamics On-Premise Security Feature Bypass
CVE-2019-1008 No No Less Likely Less Likely Important
Microsoft Edge Elevation of Privilege Vulnerability
CVE-2019-0938 No No Important 2.4 3.8
Microsoft Edge Memory Corruption Vulnerability
CVE-2019-0926 No No Critical 2.4 3.8
Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
ADV190013 No No More Likely More Likely Important
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVE-2019-0945 No No Less Likely Less Likely Important
CVE-2019-0946 No No Less Likely Less Likely Important
CVE-2019-0947 No No Important
Microsoft Office SharePoint XSS Vulnerability
CVE-2019-0963 No No Important
Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
CVE-2019-0819 No No Less Likely Less Likely Important
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2019-0957 No No Less Likely Less Likely Important
CVE-2019-0958 No No Less Likely Less Likely Important
Microsoft SharePoint Server Information Disclosure Vulnerability
CVE-2019-0956 No No Important
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2019-0952 No No Important
Microsoft SharePoint Spoofing Vulnerability
CVE-2019-0949 No No Important
CVE-2019-0950 No No Important
CVE-2019-0951 No No Important
Microsoft Word Remote Code Execution Vulnerability
CVE-2019-0953 No No Less Likely Less Likely Critical
NuGet Package Manager Tampering Vulnerability
CVE-2019-0976 No No Less Likely Less Likely Important
Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-0708 No No Critical 9.8 8.8
Scripting Engine Memory Corruption Vulnerability
CVE-2019-0884 No No More Likely More Likely Critical 6.4 5.8
CVE-2019-0911 No No More Likely More Likely Critical 7.5 6.7
CVE-2019-0918 No No More Likely More Likely Critical 7.5 6.7
Skype for Android Information Disclosure Vulnerability
CVE-2019-0932 Yes No Less Likely Less Likely Important
Unified Write Filter Elevation of Privilege Vulnerability
CVE-2019-0942 No No Less Likely Less Likely Important 4.4 4.0
Win32k Elevation of Privilege Vulnerability
CVE-2019-0892 No No More Likely More Likely Important 7.8 7.0
Windows DHCP Server Remote Code Execution Vulnerability
CVE-2019-0725 No No Less Likely Less Likely Critical 8.1 7.3
Windows Defender Application Control Security Feature Bypass Vulnerability
CVE-2019-0733 No No Less Likely Less Likely Important 5.3 4.8
Windows Elevation of Privilege Vulnerability
CVE-2019-0734 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0936 No No More Likely More Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
CVE-2019-0863 Yes Yes Detected Detected Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
CVE-2019-0882 No No More Likely More Likely Important 4.7 4.2
CVE-2019-0961 No No More Likely More Likely Important 4.7 4.2
CVE-2019-0758 No No More Likely More Likely Important 4.7 4.2
Windows Hyper-V Information Disclosure Vulnerability
CVE-2019-0886 No No Less Likely Less Likely Important 5.3 5.0
Windows Kernel Elevation of Privilege Vulnerability
CVE-2019-0881 No No More Likely More Likely Important 8.8 7.9
Windows NDIS Elevation of Privilege Vulnerability
CVE-2019-0707 No No More Likely More Likely Important 7.0 6.3
Windows OLE Remote Code Execution Vulnerability
CVE-2019-0885 No No More Likely More Likely Important 7.8 7.0
Windows Storage Service Elevation of Privilege Vulnerability
CVE-2019-0931 No No More Likely More Likely Important 7.0 6.3