Overview
Microsoft released May 2019 security patches on Tuesday that fix 82 vulnerabilities ranging from simple spoofing attacks to remote code execution in various products, including .NET Core, .NET Framework, Adobe Flash Player, Azure, Internet Explorer, Kerberos, Microsoft Browsers, Microsoft Dynamics, Microsoft Edge, Microsoft Graphics Component, Microsoft JET Database Engine, Microsoft Office, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Windows, NuGet, Servicing Stack Updates, Skype for Android, SQL Server, Team Foundation Server, Windows DHCP Server, Windows Diagnostic Hub, Windows Kernel, Windows NDIS, and Windows RDP.
Details can be found in the following table.
| Product | CVE ID | CVE Title | Severity Level |
| .NET Core | CVE-2019-0980 | .Net Framework and .Net Core Denial-of-Service Vulnerability | Important |
| .NET Core | CVE-2019-0981 | .Net Framework and .Net Core Denial-of-Service Vulnerability | Important |
| .NET Core | CVE-2019-0982 | ASP.NET Core Denial-of-Service Vulnerability | Important |
| .NET Framework | CVE-2019-0820 | .Net Framework and .Net Core Denial-of-Service Vulnerability | Important |
| .NET Framework | CVE-2019-0864 | .NET Framework Denial-of-Service Vulnerability | Important |
| Adobe Flash Player | ADV190012 | May 2019 Adobe Flash Security Updates | Critical |
| Azure | CVE-2019-1000 | Microsoft Azure AD Connect Privilege Escalation Vulnerability | Important |
| Internet Explorer | CVE-2019-0921 | Internet Explorer Spoofing Vulnerability | Important |
| Internet Explorer | CVE-2019-0929 | Internet Explorer Memory Corruption Vulnerability | Critical |
| Internet Explorer | CVE-2019-0930 | Internet Explorer Information Disclosure Vulnerability | Important |
| Internet Explorer | CVE-2019-0995 | Internet Explorer Security Feature Bypass Vulnerability | Important |
| Kerberos | CVE-2019-0734 | Windows Privilege Escalation Vulnerability | Important |
| Microsoft Browsers | CVE-2019-0940 | Microsoft Browser Memory Corruption Vulnerability | Critical |
| Microsoft Dynamics | CVE-2019-1008 | Microsoft Dynamics On-Premise Security Feature Bypass | Important |
| Microsoft Edge | CVE-2019-0926 | Microsoft Edge Memory Corruption Vulnerability | Critical |
| Microsoft Edge | CVE-2019-0938 | Microsoft Edge Privilege Escalation Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-0882 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-0892 | Win32k Privilege Escalation Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-0903 | GDI+ Remote Code Execution Vulnerability | Critical |
| Microsoft Graphics Component | CVE-2019-0961 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2019-0758 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0893 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0894 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0895 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0896 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0897 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0898 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0899 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0900 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0901 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0902 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0889 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0890 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft JET Database Engine | CVE-2019-0891 | Jet Database Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2019-0945 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2019-0946 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2019-0947 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2019-0953 | Microsoft Word Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2019-0956 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0957 | Microsoft SharePoint Privilege Escalation Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0958 | Microsoft SharePoint Privilege Escalation Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0963 | Microsoft Office SharePoint XSS Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0949 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0950 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0951 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2019-0952 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2019-0884 | Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0911 | Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0912 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0913 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0914 | Chakra Scripting Engine Memory Corruption Vulnerability | Moderate |
| Microsoft Scripting Engine | CVE-2019-0915 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0916 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0917 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0918 | Scripting Engine Memory Corruption Vulnerability | Moderate |
| Microsoft Scripting Engine | CVE-2019-0922 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0923 | Chakra Scripting Engine Memory Corruption Vulnerability | Important |
| Microsoft Scripting Engine | CVE-2019-0924 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0925 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0927 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0933 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Scripting Engine | CVE-2019-0937 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical |
| Microsoft Windows | CVE-2019-0863 | Windows Error Reporting Privilege Escalation Vulnerability | Important |
| Microsoft Windows | CVE-2019-0886 | Windows Hyper-V Information Disclosure Vulnerability | Important |
| Microsoft Windows | CVE-2019-0942 | Unified Write Filter Privilege Escalation Vulnerability | Important |
| Microsoft Windows | CVE-2019-0733 | Windows Defender Application Control Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2019-0885 | Windows OLE Remote Code Execution Vulnerability | Important |
| Microsoft Windows | CVE-2019-0931 | Windows Storage Service Privilege Escalation Vulnerability | Important |
| Microsoft Windows | ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities | Important |
| Microsoft Windows | CVE-2019-0936 | Windows Privilege Escalation Vulnerability | Important |
| NuGet | CVE-2019-0976 | NuGet Package Manager Tampering Vulnerability | Important |
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates | Critical |
| Skype for Android | CVE-2019-0932 | Skype for Android Information Disclosure Vulnerability | Important |
| SQL Server | CVE-2019-0819 | Microsoft SQL Server Analysis Services Information Disclosure Vulnerability | Important |
| Team Foundation Server | CVE-2019-0971 | Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability | Important |
| Team Foundation Server | CVE-2019-0872 | Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability | Important |
| Team Foundation Server | CVE-2019-0979 | Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability | Important |
| Windows DHCP Server | CVE-2019-0725 | Windows DHCP Server Remote Code Execution Vulnerability | Critical |
| Windows Diagnostic Hub | CVE-2019-0727 | Diagnostics Hub Standard Collector, Visual Studio Standard Collector Privilege Escalation Vulnerability | Important |
| Windows Kernel | CVE-2019-0881 | Windows Kernel Privilege Escalation Vulnerability | Important |
| Windows NDIS | CVE-2019-0707 | Windows NDIS Privilege Escalation Vulnerability | Important |
| Windows RDP | CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability | Critical |
Recommended Mitigation Measures
Microsoft has released security updates to fix these issues. Please download and install them as soon as possible.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
https://www.nsfocusglobal.com.
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.
Download:‘s Security Patches for May Fix 82 Security Vulnerabilities
