On this 8 January 2019, Microsoft may be wishing Happy New Year to their customer by releasing many security updates. In this new update Microsoft has fixed many critical bugs like Remote Code Execution as well as important bugs which is vulnerable to various type of Information Disclosure.
Source - Microsoft
The January security release consists of security updates for...
the following software:
⦁ Adobe Flash Player
⦁ Internet Explorer
⦁ Microsoft Edge
⦁ Microsoft Windows
⦁ Microsoft Office and Microsoft Office Services and Web Apps
⦁ ChakraCore
⦁ .NET Framework
⦁ ASP.NET
⦁ Microsoft Exchange Server
⦁ Microsoft Visual Studio
The following CVEs have FAQs with additional information and may include * further steps to take after installing the updates.
ADV190001 - Adobe Flash Update.
These updates address feature and performance bugs, and do not include security fixes. (update available for many versions of Windows 10 , Windows 8.1 , Windows Server 2012 , Server 2016 , latest Server 2019 and many Core Server as well.)
CVE-2019-0536 , CVE-2019-0549 , CVE-2019-0554 , CVE-2019-0569 - Windows Kernel Information Disclosure Vulnerability.
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. For exploiting this vulnerability attacker need a physical access to system and need to launch specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. (update available for many versions of Windows 10 , Windows 7, Windows 8.1 , Windows Server 2008, Server 2012 , Server 2016 , latest Server 2019 and many Core Server as well.)
CVE-2019-0537 - Microsoft Visual Studio Information Disclosure Vulnerability.
An information disclosure vulnerability exists when Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file. An attacker who took advantage of this information disclosure could view arbitrary file contents from the computer where the victim launched Visual Studio. To take advantage of the vulnerability, an attacker would need to trick a user into opening a malicious .vscontent file using a vulnerable version of Visual Studio. (Updates available for MS Visual Studio 2010 Service Pack 1 and MS Visual Studio 2012 Update 5)
CVE-2019-0545 - .NET Framework Information Disclosure Vulnerability.
An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. (Updates available to almost all version of .Net Core and Framework for all Windows 7 to Windows 10 and Windows Server 2008 to latest Server 2019).
CVE-2019-0553 - Windows Subsystem for Linux Information Disclosure Vulnerability.
An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. A attacker could exploit this vulnerability by running a specially crafted application. (Update available to only some versions of Windows 10 & Latest Windows Server 2019 and Core Server as well.)
CVE-2019-0559 - Microsoft Outlook Information Disclosure Vulnerability.
An information disclosure vulnerability exists when Microsoft Outlook improperly handles certain types of messages. An attacker who successfully exploited this vulnerability could gather information about the victim. An attacker could exploit this vulnerability by sending a specially crafted email to the victim. (Updates available to versions of MS Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019 and Office 365 ProPlus.)
CVE-2019-0560 - Microsoft Office Information Disclosure Vulnerability.
An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created. (Updates available to few versions of MS Office 2010, Office 2013, Office 2016, Office 2019 and Office 365 ProPlus.)
CVE-2019-0561 - Microsoft Word Information Disclosure Vulnerability.
An information disclosure vulnerability exists when Microsoft Word macro buttons are used improperly. An attacker who successfully exploited this vulnerability could read arbitrary files from a targeted system. To exploit the vulnerability, an attacker could craft a special document file and convince the user to open it. An attacker must know the file location whose data they wish to exfiltrate. (Updates available to few versions of MS Office 2010, Office 2016, Office 2019 and Office 365 ProPlu ; Few versions of Microsoft Word 2010, 2013, 2016 ; MS SharePoint Server 2010 SP 2 ; MS Office Web Apps Server 2010 SP 2. These updates are available for Windows OS and Apple Mac as well.)
CVE-2019-0585 - Microsoft Word Remote Code Execution Vulnerability.
A remote code execution vulnerability exists in vulnerable Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. (Updates available to few versions of MS Office 2010, Office 2016, Office 2019 and Office 365 ProPlu ; Few versions of Microsoft Word 2010, 2013, 2016 ; Versions of MS SharePoint Server & MS SharePoint Enterprise Server - 2010 SP 2, 2013 SP 1, 2016, 2019; MS Office Web Apps Server 2010 SP 2. These updates are available for Windows OS and Apple Mac OS as well.)
CVE-2019-0588 - Microsoft Exchange Information Disclosure Vulnerability.
An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The attacker would then be able to view additional details about the calendar that would normally be hidden such as the subject of a meeting, which would otherwise not be disclosed. (Update available to MS Exchange Server - 2010 SP 3 , 2013, 2016, 2019)
Windows Users and System Administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cyber-criminals away from taking control of their systems.
For installing the latest security patch updates, go to Settings → Update & Security → Windows Update → Check for updates, on your computer system or you can install the updates manually.
After applying these updates some of the systems or applications may not work as intended, so all Administrator needs to read instruction carefully provided by Microsoft before applying those updates directly on the production environment. If you get any issue after applying these updates Microsoft has provided some solution and Microsoft also said that they will provide remaining solution by this month end.
Share this post & Comment below your suggestion
No comments:
Post a Comment