Overview
Among the vulnerabilities that Microsoft has updated in this month, there are 13 critical ones which exist in products like Hyper-V, VBScript, Exchange, and Scripting Engine.
Overview of Critical Vulnerabilities
Microsoft Hyper-V
The update fixes five key security vulnerabilities in Hyper-V.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-0719 | Remote code execution | This issue exists when the Windows Hyper-V network switch on the host does not properly validate input from an authenticated user on a guest operating system.
To exploit this vulnerability, an attacker could run a specially crafted application on a guest operating system, causing arbitrary code execution on the Hyper-V host operating system. |
|
| CVE-2019-0721 | Remote code execution | Same as CVE-2019-0719 | |
| CVE-2019-1389 | Remote code execution | This issue exists when the Windows Hyper-V on the host does not properly validate input from an authenticated user on a guest operating system.
To exploit this vulnerability, an attacker could run a specially crafted application on a guest operating system, causing arbitrary code execution on the Hyper-V host operating system. |
|
| CVE-2019-1397 | Remote code execution | Same as CVE-2019-1389 | |
| CVE-2019-1398 | Remote code execution | Same as CVE-2019-1389 | |
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0719
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0721
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1389
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1397
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1398
Microsoft VBScript
A critical security vulnerability in VBScript was fixed in the update.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-1390 | Remote code execution | A remote code execution vulnerability exists in the VBScript engine’s handling of in-memory objects.
An attacker who successfully exploits the vulnerability could gain the same permissions as the current user. If the current user logs in with administrative rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system and then install programs, view data, modify or delete data, or create accounts with full user rights. In order to trigger this vulnerability, an attacker could induce a user to use an Internet Explorer browser to access a malicious website created by an attacker, or to open an Office document or application that contains an ActiveX control labeled “safe initialization.” |
|
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1390
Microsoft Scripting Engine
The update fixes three key security vulnerabilities in the Scripting Engine.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-1429
(Already found to use) |
Remote code executionA remote code execution vulnerability exists in the Scripting Engine’s handling of memory objects in Internet Explorer. | The vulnerability could cause memory corruption, and an attacker who successfully exploits the vulnerability might gain the same privileges as the current user. If the current user logs in with administrative rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system and then install programs, view data, modify or delete data, or create accounts with full user rights.
An attacker could trigger this vulnerability by inducing a user to use an Internet Explorer browser to access a malicious website created by an attacker or to open a malicious office document. |
|
| CVE-2019-1427 | Remote code executionA remote code execution vulnerability exists in the Scripting Engine’s handling of memory objects in Microsoft Edge. | The vulnerability could cause memory corruption, and an attacker who successfully exploits the vulnerability might gain the same privileges as the current user. If the current user logs in with administrative rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system and then install programs, view data, modify or delete data, or create accounts with full user rights.
An attacker could trigger a vulnerability by inducing a user to use a Microsoft Edge browser to access a malicious website created by an attacker. |
|
| CVE-2019-1428 | Remote code execution | Same as CVE-2019-1427 | |
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1428
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1427
Microsoft Exchange
The update fixes a key security vulnerability in Exchange.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-1373 | Remote code executionA remote code execution vulnerability exists in the way Microsoft Exchange desterilizes metadata through PowerShell. | An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the login user.
Exploitation of this vulnerability requires users to run cmdlets through PowerShell. |
|
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1373
OpenType Font Parsing
The update fixes a key security vulnerability in OpenType font parsing.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-1419 | Remote code execution | A remote code execution vulnerability exists in the way the Windows Adobe Type Manager library does not properly handle specially crafted OpenType fonts.
For all systems except Windows 10, an attacker who successfully exploits this vulnerability could remotely execute code. For Windows 10 systems, an attacker who successfully exploits this vulnerability could execute code in the AppContainer sandbox context with limited privileges and functionality. An attacker could exploit this vulnerability in a number of ways, such as convincing a user to open a specially crafted document or convincing a user to access a web page that contains a specially crafted embedded OpenType font. |
|
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1419
Microsoft Windows Media Foundation
A critical security vulnerability in Microsoft Windows Media Foundation was fixed in the update.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-1430 | Remote code execution | A remote code execution vulnerability exists when Windows Media Foundation cannot properly parse a specially crafted QuickTime media file.
An attacker who successfully exploits this vulnerability could gain the same user rights as a local user. To exploit this vulnerability, an attacker would have to send a specially crafted QuickTime file to the user and convince them to open it. When opened, a malicious QuickTime file will execute code on the target system. |
|
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1430
Win32k Graphics
The update fixes a key security vulnerability in Win32k Graphics.
The vulnerabilities are summarized as follows:
| CVE ID | Impact | Vulnerability Description | |
| CVE-2019-1441 | Remote code execution | A remote code execution vulnerability exists in the Windows font library when it improperly handles specially crafted embedded fonts.
An attacker who successfully exploits this vulnerability could control the affected system. An attacker could install a program; view, change, or delete data; or create a new account with full user rights. An attacker could exploit this vulnerability in a number of ways. (1) In a web-based attack scenario, a user may be tempted to access a malicious website created by an attacker. A common method is to let the user click a link in an email or Instant Messenger message, or open an attachment sent via email. (2) In a file sharing attack scenario, an attacker may provide a specially crafted document file and convince the user to open it. |
|
For more details and updates on the vulnerability, please refer to the official Microsoft Security Notice:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1441
Solution
Microsoft officially has released an update patch, please update the patch in time.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
