This report contains detail for the following vulnerabilities:
| Tag | CVE ID | CVE Title |
|---|---|---|
| .NET Core | CVE-2019-0982 | ASP.NET Core Denial of Service Vulnerability |
| .NET Core | CVE-2019-0981 | .Net Framework and .Net Core Denial of Service Vulnerability |
| .NET Core | CVE-2019-0980 | .Net Framework and .Net Core Denial of Service Vulnerability |
| .NET Framework | CVE-2019-0864 | .NET Framework Denial of Service Vulnerability |
| .NET Framework | CVE-2019-0820 | .NET Framework and .NET Core Denial of Service Vulnerability |
| Adobe Flash Player | ADV190012 | May 2019 Adobe Flash Security Update |
| Azure | CVE-2019-1000 | Microsoft Azure AD Connect Elevation of Privilege Vulnerability |
| Internet Explorer | CVE-2019-0929 | Internet Explorer Memory Corruption Vulnerability |
| Internet Explorer | CVE-2019-0995 | Internet Explorer Security Feature Bypass Vulnerability |
| Internet Explorer | CVE-2019-0930 | Internet Explorer Information Disclosure Vulnerability |
| Internet Explorer | CVE-2019-0921 | Internet Explorer Spoofing Vulnerability |
| Kerberos | CVE-2019-0734 | Windows Elevation of Privilege Vulnerability |
| Microsoft Browsers | CVE-2019-0940 | Microsoft Browser Memory Corruption Vulnerability |
| Microsoft Dynamics | CVE-2019-1008 | Microsoft Dynamics On-Premise Security Feature Bypass |
| Microsoft Edge | CVE-2019-0938 | Microsoft Edge Elevation of Privilege Vulnerability |
| Microsoft Edge | CVE-2019-0926 | Microsoft Edge Memory Corruption Vulnerability |
| Microsoft Graphics Component | CVE-2019-0892 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-0961 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-0758 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-0903 | GDI+ Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2019-0882 | Windows GDI Information Disclosure Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0898 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0895 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0897 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0889 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0890 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0891 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0896 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0893 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0894 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0901 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0899 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0900 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0902 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-0947 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-0953 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-0945 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-0946 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0957 | Microsoft SharePoint Elevation of Privilege Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0956 | Microsoft SharePoint Server Information Disclosure Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0949 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0950 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0952 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0951 | Microsoft SharePoint Spoofing Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0963 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2019-0958 | Microsoft SharePoint Elevation of Privilege Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0924 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0923 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0927 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0922 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0884 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0933 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0925 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0937 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0918 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0913 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0912 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0911 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0914 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0917 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0916 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0915 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Windows | CVE-2019-0733 | Windows Defender Application Control Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2019-0936 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0886 | Windows Hyper-V Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0942 | Unified Write Filter Elevation of Privilege Vulnerability |
| Microsoft Windows | ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities |
| Microsoft Windows | CVE-2019-0931 | Windows Storage Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0885 | Windows OLE Remote Code Execution Vulnerability |
| NuGet | CVE-2019-0976 | NuGet Package Manager Tampering Vulnerability |
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates |
| Skype for Android | CVE-2019-0932 | Skype for Android Information Disclosure Vulnerability |
| SQL Server | CVE-2019-0819 | Microsoft SQL Server Analysis Services Information Disclosure Vulnerability |
| Team Foundation Server | CVE-2019-0971 | Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability |
| Team Foundation Server | CVE-2019-0979 | Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability |
| Team Foundation Server | CVE-2019-0872 | Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability |
| Windows DHCP Server | CVE-2019-0725 | Windows DHCP Server Remote Code Execution Vulnerability |
| Windows Diagnostic Hub | CVE-2019-0727 | Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-0881 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows NDIS | CVE-2019-0707 | Windows NDIS Elevation of Privilege Vulnerability |
| Windows RDP | CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0863 MITRE NVD |
CVE Title: Windows Error Reporting Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges. To exploit the vulnerability, an attacker must first gain unprivileged execution on a victim system. The security update addresses the vulnerability by correcting the way WER handles files. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Detected | Exploitation Detected | Not Applicable | Yes | Yes |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0863 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Elevation of Privilege | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0863 | Polar Bear Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0882 MITRE NVD |
CVE Title: Windows GDI Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0882 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Information Disclosure | 4493446 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0882 | Axel Souchet (@0vercl0k) of MSRC Vulnerabilities and Mitigations Team https://twitter.com/0vercl0k willJ working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0884 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0884 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4498206 (IE Cumulative) 4499171 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493451 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4499151 (Monthly Rollup) | Critical | Remote Code Execution | 4493446 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493472 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4498206 (IE Cumulative) | Moderate | Remote Code Execution | 4493435 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493446 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Moderate | Remote Code Execution | 4493471 4493435 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Moderate | Remote Code Execution | 4493471 4493435 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0884 | Four Fire |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0886 MITRE NVD |
CVE Title: Windows Hyper-V Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker on a guest operating system could run a specially crafted application that could cause the Hyper-V host operating system to disclose memory information. An attacker who successfully exploited the vulnerability could gain access to information on the Hyper-V host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Guest VM to Hyper-V host server - virtualization security boundary. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0886 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0886 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0892 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0892 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0892 | Zhang Yunhai of NSFOCUS http://www.nsfocus.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0893 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0893 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0893 | Honggang Ren of Fortinet's FortiGuard Labs |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0894 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0894 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0894 | rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0895 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0895 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0895 | rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0896 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0896 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0896 | rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0897 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0897 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0897 | rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Keqi Hu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0898 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0898 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0898 | Honggang Ren of Fortinet's FortiGuard Labs |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0899 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0899 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0899 | Hardik Shah of McAfee https://twitter.com/hardik05 Gal De Leon and Bar Lahav of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0900 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0900 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0900 | Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0901 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0901 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0901 | Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0902 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0902 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0902 | rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Hardik Shah of McAfee https://twitter.com/hardik05 Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0903 MITRE NVD |
CVE Title: GDI+ Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerability:
The security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0903 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Critical | Remote Code Execution | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Critical | Remote Code Execution | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Critical | Remote Code Execution | 4493446 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Critical | Remote Code Execution | 4493451 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Critical | Remote Code Execution | 4493451 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Critical | Remote Code Execution | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Critical | Remote Code Execution | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0903 | kdot working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0932 MITRE NVD |
CVE Title: Skype for Android Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in Skype for Android. An attacker that exploited the vulnerability could listen to the conversation of a Skype for Android user without the user’s knowledge. To exploit the vulnerability, an attacker would need to call an Android phone with Skype for Android installed that’s also paired with a Bluetooth device. The security update addresses the vulnerability by correcting how Skype for Android answers incoming calls. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is audio from a cellular phone call. How do I get the update for Skype for Android?
Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0932 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Skype 8.35 when installed on Android Devices | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2019-0932 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0942 MITRE NVD |
CVE Title: Unified Write Filter Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the Unified Write Filter (UWF) feature for Windows 10 when it improperly restricts access to the registry. An attacker who successfully exploited the vulnerability could make changes to the registry keys protected by UWF without having administrator privileges. To exploit the vulnerability, an attacker would have to log on to an affected system utilizing UWF and access the registry editor. The security update addresses the vulnerability by correcting how the Unified Write Filter verifies privileges when accessing the registry. FAQ: What is the Unified Write Filter feature? Unified Write Filter (UWF) is an optional Windows 10 feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location that is usually cleared during a reboot or when a guest user logs off. More information is available at https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/unified-write-filter Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0942 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0942 | Thomas Levering |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0945 MITRE NVD |
CVE Title: Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Microsoft Office Access Connectivity Engine handles objects in memory. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0945 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 4464567 (Security Update) | Important | Remote Code Execution | 4464520 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 4464567 (Security Update) | Important | Remote Code Execution | 4464520 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 RT Service Pack 1 | 4464561 (Security Update) | Important | Remote Code Execution | 4462204 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (32-bit editions) | 4464561 (Security Update) | Important | Remote Code Execution | 4462204 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (64-bit editions) | 4464561 (Security Update) | Important | Remote Code Execution | 4462204 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (32-bit edition) | 4464551 (Security Update) | Important | Remote Code Execution | 4462213 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 4464551 (Security Update) | Important | Remote Code Execution | 4462213 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-0945 | Keqi Hu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0946 MITRE NVD |
CVE Title: Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Microsoft Office Access Connectivity Engine handles objects in memory. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0946 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 4464567 (Security Update) | Important | Remote Code Execution | 4464520 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 4464567 (Security Update) | Important | Remote Code Execution | 4464520 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 RT Service Pack 1 | 4464561 (Security Update) | Important | Remote Code Execution | 4462204 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (32-bit editions) | 4464561 (Security Update) | Important | Remote Code Execution | 4462204 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (64-bit editions) | 4464561 (Security Update) | Important | Remote Code Execution | 4462204 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (32-bit edition) | 4464551 (Security Update) | Important | Remote Code Execution | 4462213 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 4464551 (Security Update) | Important | Remote Code Execution | 4462213 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-0946 | Keqi Hu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0947 MITRE NVD |
CVE Title: Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Microsoft Office Access Connectivity Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Microsoft Office Access Connectivity Engine handles objects in memory. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0947 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 4464567 (Security Update) | Important | Remote Code Execution | 4464520 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 4464567 (Security Update) | Important | Remote Code Execution | 4464520 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0947 | Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0956 MITRE NVD |
CVE Title: Microsoft SharePoint Server Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Personally Identifiable Information (PII). Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0956 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 4464549 (Security Update) | Important | Information Disclosure | 4464510 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Information Disclosure | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0956 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0957 MITRE NVD |
CVE Title: Microsoft SharePoint Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0957 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 4464549 (Security Update) | Important | Elevation of Privilege | 4464510 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Server 2019 | 4464556 (Security Update) | Important | Elevation of Privilege | 4464518 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0957 | Ashar Javed of Hyundai AutoEver Europe GmbH https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0958 MITRE NVD |
CVE Title: Microsoft SharePoint Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0958 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Elevation of Privilege | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Server 2019 | 4464556 (Security Update) | Important | Elevation of Privilege | 4464518 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0958 | Ahmed Radi https://twitter/0xRadi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0961 MITRE NVD |
CVE Title: Windows GDI Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0961 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Information Disclosure | 4493446 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0961 | Kamlapati Choubey of Trend Micro |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0963 MITRE NVD |
CVE Title: Microsoft Office SharePoint XSS Vulnerability
Description: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0963 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Spoofing | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0963 | Huynh Phuoc Hung, @hph0var https://twitter.com/hph0var |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0971 MITRE NVD |
CVE Title: Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Azure DevOps Server and Microsoft Team Foundation Server do not properly sanitize a specially crafted authentication request to an affected server. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable server. To exploit this vulnerability, an authenticated attacker would need to create a page specifically designed to cause a server-side request. The attacker would then send a specially-crafted message to perform a server-side request forgery attack. The update addresses the vulnerability by modifying how Azure DevOps Server and Microsoft Team Foundation Server manage server authentication. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is device information like resource ids, sas tokens, user properties, and other sensitive information. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0971 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure DevOps Server 2019 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2018 Update 3.2 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0971 | Paolo Giai Polict
https://polict.net/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0980 MITRE NVD |
CVE Title: .Net Framework and .Net Core Denial of Service Vulnerability
Description: A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Framework or .NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework or .NET Core application. The update addresses the vulnerability by correcting how .NET Framework or .NET Core web applications handles web requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0980 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET Core 1.0 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 1.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 2.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 2.2 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6.2 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7/4.7.1/4.7.2 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7/4.7.1/4.7.2 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation) | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0980 | Nemanja Mijailovic Nemanja Mijailovic's Blog https://mijailovic.net/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0981 MITRE NVD |
CVE Title: .Net Framework and .Net Core Denial of Service Vulnerability
Description: A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Framework or .NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework or .NET Core application. The update addresses the vulnerability by correcting how .NET Framework or .NET Core web applications handles web requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0981 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET Core 1.0 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 1.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 2.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 2.2 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6.2 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7/4.7.1/4.7.2 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7/4.7.1/4.7.2 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation) | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0981 | Nemanja Mijailovic, Nemanja Mijailovic's Blog https://mijailovic.net/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0982 MITRE NVD |
CVE Title: ASP.NET Core Denial of Service Vulnerability
Description: A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests. FAQ: How do I know if my client or server app is vulnerable? A client or server app is vulnerable if it has a package reference to these versions of Microsoft.AspNetCore.SignalR.Protocols.MessagePack:
Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0982 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ASP.NET Core 2.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| ASP.NET Core 2.2 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0982 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
| ADV990001 MITRE NVD |
CVE Title: Latest Servicing Stack Updates
Description: This is a list of the latest servicing stack updates for each operating sytem. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. FAQ: 1. Why are all of the Servicing Stack Updates (SSU) critical updates? The SSUs are classified as Critical updates. This does not indicate that there is a critical vulnerability being addressed in the update. 2. When was the most recent SSU released for each version of Microsoft Windows? Please refer to the following table for the most recent SSU release. We will update the entries any time a new SSU is released:
Mitigations: None Workarounds: None Revision: 7.0 2019-04-09T07:00:00 A Servicing Stack Update has been released for Windows Server 2008 and Windows Server 2008 (Server Core installation); Windows 10 version 1809, Windows Server 2019, and Windows Server 2019 (Server Core installation). See the FAQ section for more information. 3.0 2018-12-11T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1709, Windows Server, version 1709 (Server Core Installation), Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information. 2.0 2018-12-05T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information. 4.0 2019-01-08T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1703. See the FAQ section for more information. 1.1 2018-11-14T08:00:00 Corrected the link to the Windows Server 2008 Servicing Stack Update. This is an informational change only. 2.0 2018-12-05T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information. 5.2 2019-02-14T08:00:00 In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1803 for x64-based Systems to 4485449. This is an informational change only. 5.0 2019-02-12T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation); Windows 10 Version 1703; Windows 10 Version 1709 and Windows Server, version 1709 (Server Core Installation); Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information. 1.2 2018-12-03T08:00:00 FAQs have been added to further explain Security Stack Updates. The FAQs include a table that indicates the most recent SSU release for each Windows version. This is an informational change only. 3.1 2018-12-11T08:00:00 Updated supersedence information. This is an informational change only. 5.1 2019-02-13T08:00:00 In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1809 for x64-based Systems to 4470788. This is an informational change only. 6.0 2019-03-12T07:00:00 A Servicing Stack Update has been released for Windows 7 and Windows Server 2008 R2 and Windows Server 2008 R2 (Server Core installation). See the FAQ section for more information. 3.2 2018-12-12T08:00:00 Fixed a typo in the FAQ. 1.0 2018-11-13T08:00:00 Information published. 8.0 2019-05-14T07:00:00 A Servicing Stack Update has been released for Windows 10 version 1507, Windows 10 version 1607, Windows Server 2016, Windows 10 version 1703, Windows 10 version 1709, Windows Server, version 1709, Windows 10 version 1803, Windows Server, version 1803, Windows 10 version 1809, Windows Server 2019, Windows 10 version 1809 and Windows Server, version 1809. See the FAQ section for more information. |
Critical | Defense in Depth |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| ADV990001 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4498353 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 for x64-based Systems | 4498353 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4498947 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4498947 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4500640 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4500640 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4500641 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4500641 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4500641 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4497398 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4497398 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4497398 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4499728 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4499728 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4499728 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4490628 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4490628 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 8.1 for 32-bit systems | 3173424 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 8.1 for x64-based systems | 3173424 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4493730 (Servicing Stack Update) | Critical | Defense in Depth | 955430 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4493730 (Servicing Stack Update) | Critical | Defense in Depth | 955430 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4493730 (Servicing Stack Update) | Critical | Defense in Depth | 955430 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4493730 (Servicing Stack Update) | Critical | Defense in Depth | 955430 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4493730 (Servicing Stack Update) | Critical | Defense in Depth | 955430 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4490628 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4490628 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4490628 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 | 3173426 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 (Server Core installation) | 3173426 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 R2 | 3173424 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 3173424 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2016 | 4498947 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2016 (Server Core installation) | 4498947 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2019 | 4499728 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2019 (Server Core installation) | 4499728 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1709 (Server Core Installation) | 4500641 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4497398 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| ADV990001 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0707 MITRE NVD |
CVE Title: Windows NDIS Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. To exploit the vulnerability, in a local attack scenario, an attacker could run a specially crafted application to elevate the attacker's privilege level. An attacker who successfully exploited this vulnerability could run processes in an elevated context. However, an attacker must first gain access to the local system with the ability to execute a malicious application in order to exploit this vulnerability. The security update addresses the vulnerability by changing how ndis.sys validates buffer length. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0707 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Elevation of Privilege | 4493446 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0707 | Anthony LAOU HINE TSUEI https://twitter.com/anarcheuz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0708 MITRE NVD |
CVE Title: Remote Desktop Services Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. FAQ: None Mitigations: Workarounds: The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place: 1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability. 2. Block TCP port 3389 at the enterprise perimeter firewall TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0708 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Critical | Remote Code Execution | 4493471 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 9.80 Temporal: 8.80 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0708 | The UK's National Cyber Security Centre (NCSC) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0725 MITRE NVD |
CVE Title: Windows DHCP Server Remote Code Execution Vulnerability
Description: A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server. To exploit the vulnerability, a remote unauthenticated attacker could send a specially crafted packet to an affected DHCP server. The security update addresses the vulnerability by correcting how DHCP servers handle network packets. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0725 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Critical | Remote Code Execution | 4493472 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Critical | Remote Code Execution | 4493451 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Critical | Remote Code Execution | 4493451 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Critical | Remote Code Execution | 4493446 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Critical | Remote Code Execution | 4493446 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0725 | Mitch Adair, Microsoft Windows Enterprise Security Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0727 MITRE NVD |
CVE Title: Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector or the Visual Studio Standard Collector allows file deletion in arbitrary locations. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by not permitting Diagnostics Hub Standard Collector or the Visual Studio Standard Collector to delete files in arbitrary locations. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0727 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Visual Studio 2015 Update 3 | 4489639 (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2017 version 15.0 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2017 version 15.9 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2019 version 16.0 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0727 | DazzleP Cai of Tencent Keenlab https://twitter.com/Dazz1eP Wayne Low of Fortinet’s FortiGuard Labs https://fortiguard.com/ Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab https://twitter.com/ma7h1as,http://xlab.tencent.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0733 MITRE NVD |
CVE Title: Windows Defender Application Control Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement. An attacker who successfully exploited this vulnerability could circumvent Windows PowerShell Constrained Language Mode on the machine. To exploit the vulnerability, an attacker would first have to access the local machine, and then place PowerShell into Constrained Language mode. By doing that an attacker could leverage script debugging to abuse signed modules in an unintended way. The update addresses the vulnerability by correcting how PowerShell functions in Constrained Language Mode. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0733 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Security Feature Bypass | 4493475 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Security Feature Bypass | 4493475 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Security Feature Bypass | 4493470 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Security Feature Bypass | 4493470 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Security Feature Bypass | 4493474 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Security Feature Bypass | 4493474 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Security Feature Bypass | 4493441 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Security Feature Bypass | 4493441 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Security Feature Bypass | 4493441 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Security Feature Bypass | 4493470 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Security Feature Bypass | 4493470 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 5.30 Temporal: 4.80 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0733 | Matt Graeber of SpecterOps https://specterops.io/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0734 MITRE NVD |
CVE Title: Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully decode and replace authentication request using Kerberos, allowing an attacker to be validated as an Administrator. The update addresses this vulnerability by changing how these requests are validated. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0734 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Elevation of Privilege | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0734 | Andrew Bartlett of Catalyst and the Samba Team https://catalyst.net.nz/samba-%26-windows-integration,https://www.samba.org/samba/team Isaac Boukris |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0758 MITRE NVD |
CVE Title: Windows GDI Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory layout - the vulnerability allows an attacker to collect information that facilitates predicting addressing of the memory. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0758 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Information Disclosure | 4493446 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Information Disclosure | 4493471 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0758 | kdot working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||
| CVE-2019-0819 MITRE NVD |
CVE Title: Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in Microsoft SQL Server Analysis Services when it improperly enforces metadata permissions. An attacker who successfully exploited the vulnerability could query tables or columns for which they do not have access rights. To exploit this vulnerability, an authenticated attacker would need to submit a query to an affected Analysis Services database. The security update addresses the vulnerability by correcting how SQL Server Analysis Services enforces permissions. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability relates to SQL table columns that would normally be restricted. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different update servicing branches in place for SQL Server. The primary difference between the two is that CU branches cumulatively include all updates for a given baseline, while GDR branches include only cumulative critical updates for a given baseline. A baseline can be the initial RTM release or a Service Pack. For any given baseline, either the GDR or CU updates are options if you are a) at the baseline version (never installed any servicing updates, CU or GDR), or b) have only installed GDR updates. The CU update is the only option if you have installed a previous SQL Server CU for the baseline you are on. Does this security update apply to SQL Server 2017 on Linux or on Linux Docker Containers? No. The fix is only applicable to SQL Server Analysis Services (AS), which is not available within SQL Server 2017 on Linux. Will these security updates be offered to SQL Server clusters? Yes. The updates will also be offered to SQL Server 2017 RTM instances that are clustered. Updates for SQL Server clusters will require user interaction. If the SQL Server 2017 RTM cluster has a passive node, to reduce downtime, Microsoft recommends that you scan and apply the update to the inactive node first, then scan and apply it to the active node. When all components have been updated on all nodes, the update will no longer be offered. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0819 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2017 for x64-based Systems (CU+GDR) | 4494352 (Security Update) | Important | Information Disclosure | 4293805 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (GDR) | 4494351 (Security Update) | Important | Information Disclosure | 4293803 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0819 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0820 MITRE NVD |
CVE Title: .NET Framework and .NET Core Denial of Service Vulnerability
Description: A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Framework (or .NET core) application. The update addresses the vulnerability by correcting how .NET Framework and .NET Core applications handle RegEx string processing. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0820 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET Core 1.0 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 1.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 2.1 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 2.2 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| .NET Core 3.0 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows 7 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation) | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0820 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0864 MITRE NVD |
CVE Title: .NET Framework Denial of Service Vulnerability
Description: A denial of service vulnerability exists when .NET Framework improperly handles objects in heap memory. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how .NET Framework handle objects in heap memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0864 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | 4487078; 4487256 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows 7 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4498964 (Security Only) 4499409 (Monthly Rollup) |
Important | Denial of Service | 4487081; 4487259 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6.2 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Denial of Service | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Denial of Service | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | 4495165 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499406 (Monthly Rollup) 4498961 (Security Only) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | 4487079; 4487257 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | 4489488; 4495165 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.1/4.7.2 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Denial of Service | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.7.2 on Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Denial of Service | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7/4.7.1/4.7.2 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.7/4.7.1/4.7.2 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Denial of Service | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systems | 4495611 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systems | 4495613 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systems | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for 32-bit Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for x64-based Systems | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows RT 8.1 | 4499408 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4498961 (Security Only) 4499406 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 4498962 (Security Only) 4499407 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 4498963 (Security Only) 4499408 (Monthly Rollup) |
Important | Denial of Service | Base: N/A Temporal: N/A Vector: N/A |
Maybe | |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 4495610 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation) | 4499405 (Monthly Rollup) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation) | 4495616 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server, version 1903 (Server Core installation) | 4495620 (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0864 | Keqi Hu and zhangjie from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0872 MITRE NVD |
CVE Title: Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
Description: A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to an Azure DevOps server or a Team Foundation server, which will get executed in the context of the user every time a user visits the compromised page. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content. The security update addresses the vulnerability by ensuring that Azure DevOps Server and Team Foundation Server properly sanitize user inputs. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0872 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure DevOps Server 2019 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2015 Update 4.2 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2017 Update 3.1 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2018 Update 1.2 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2018 Update 3.2 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0872 | Mikhail Shcherbakov https://www.linkedin.com/in/mikhailshcherbakov |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0881 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Kernel improperly handles key enumeration. An attacker who successfully exploited the vulnerability could gain elevated privileges on a targeted system. A locally authenticated attacker could exploit this vulnerability by running a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel properly handles key enumeration. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0881 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Elevation of Privilege | 4493446 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 8.80 Temporal: 7.90 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0881 | James Forshaw of Google Project Zero http://www.google.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0885 MITRE NVD |
CVE Title: Windows OLE Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file or a program, causing Windows to execute arbitrary code. The update addresses the vulnerability by correcting how Windows OLE validates user input. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0885 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0885 | Yuki Chen of Qihoo 360 Vulcan Team http://www.360.com/ Anonymous working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0889 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0889 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0889 | Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ Hardik Shah of McAfee https://twitter.com/hardik05 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0890 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0890 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0890 | rgod of 9sg Security Team working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0891 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0891 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Remote Code Execution | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Remote Code Execution | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Remote Code Execution | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Remote Code Execution | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Remote Code Execution | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Remote Code Execution | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0891 | Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ Hardik Shah of McAfee https://twitter.com/hardik05 rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0911 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0911 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Internet Explorer 10 on Windows Server 2012 | 4498206 (IE Cumulative) 4499171 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493451 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4499151 (Monthly Rollup) | Critical | Remote Code Execution | 4493446 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4498206 (IE Cumulative) | Moderate | Remote Code Execution | 4493435 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0911 | Yuki Chen of Qihoo 360 Vulcan Team http://www.360.com/ Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0912 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0912 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0912 | Yuki Chen of Qihoo 360 Vulcan Team http://www.360.com/ Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0913 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0913 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0913 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0914 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0914 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0914 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0915 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0915 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0915 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0916 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0916 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0916 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0917 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0917 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0917 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0918 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0918 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4498206 (IE Cumulative) 4499171 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493451 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4499151 (Monthly Rollup) | Critical | Remote Code Execution | 4493446 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4498206 (IE Cumulative) | Moderate | Remote Code Execution | 4493435 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Moderate | Remote Code Execution | 4493471 4493435 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Moderate | Remote Code Execution | 4493471 4493435 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0918 | Yuki Chen of Qihoo 360 Vulcan Team http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0921 MITRE NVD |
CVE Title: Internet Explorer Spoofing Vulnerability
Description: An spoofing vulnerability exists when Internet Explorer improperly handles URLs. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website. The security update addresses the vulnerability by changing how URLs are handled by Internet Explorer. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0921 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4498206 (IE Cumulative) 4499171 (Monthly Rollup) |
Low | Spoofing | 4493435 4493451 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Spoofing | 4493475 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Spoofing | 4493475 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Spoofing | 4493470 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Spoofing | 4493470 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Spoofing | 4493474 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Spoofing | 4493474 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Spoofing | 4493441 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Spoofing | 4493441 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Spoofing | 4493441 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Spoofing | 4493464 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Spoofing | 4493464 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Spoofing | 4493464 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Spoofing | 4493509 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Spoofing | 4493509 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Spoofing | 4493509 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Spoofing | None | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Spoofing | None | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Spoofing | None | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Important | Spoofing | 4493435 4493472 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Important | Spoofing | 4493435 4493472 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Important | Spoofing | 4493435 4493446 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Important | Spoofing | 4493435 4493446 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Spoofing | 4493446 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Low | Spoofing | 4493435 4493472 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4498206 (IE Cumulative) | Low | Spoofing | 4493435 | Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Low | Spoofing | 4493435 4493446 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Low | Spoofing | 4493470 | Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Low | Spoofing | 4493509 | Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Low | Spoofing | 4493471 4493435 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Low | Spoofing | 4493471 4493435 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0921 | Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab
https://xlab.tencent.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0922 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0922 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0922 | Bruno Keith https://twitter.com/bkth_ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0923 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0923 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Low | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Low | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0923 | Zhiyi Zhang from Codesafe Team of Legendsec at Qi'anxin Group Suyoung Lee of Web Security & Privacy Lab at KAIST HyungSeok Han of SoftSec Lab at KAIST Sang Kil Cha of SoftSec Lab at KAIST Sooel Son of Web Security & Privacy Lab at KAIST https://www.facebook.com/leeswimming,https://daramg.gift,https://softsec.kaist.ac.kr/~sangkilc/,https://sites.google.com/site/ssonkaist/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0924 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0924 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0924 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0925 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0925 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0925 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0926 MITRE NVD |
CVE Title: Microsoft Edge Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. The security update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0926 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0926 | Liu Long of Qihoo 360 Vulcan Team http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0927 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0927 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0927 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0929 MITRE NVD |
CVE Title: Internet Explorer Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0929 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0929 | Juan Pablo Lopez Yacubian |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| ADV190012 MITRE NVD |
CVE Title: May 2019 Adobe Flash Security Update
Description: This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB19-26: CVE-2019-7837. FAQ: How could an attacker exploit these vulnerabilities? In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. For more information about Internet Explorer and the CV List, please see the MSDN Article, Developer Guidance for websites with content for Adobe Flash Player in Windows 8. Mitigations: Workarounds: Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update. Prevent Adobe Flash Player from running You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry. Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To set the kill bit for the control in the registry, perform the following steps:
Note You must restart Internet Explorer for your changes to take effect. Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer. How to undo the workaround. Delete the registry keys that were added in implementing this workaround. Prevent Adobe Flash Player from running in Internet Explorer through Group Policy Note The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit, or for an entire domain. For more information about Group Policy, visit the following Microsoft Web sites: Group Policy Overview What is Group Policy Object Editor? Core Group Policy tools and settings To disable Adobe Flash Player in Internet Explorer through Group Policy, perform the following steps: Note This workaround does not prevent Flash from being invoked from other applications, such as Microsoft Office 2007 or Microsoft Office 2010.
To disable Adobe Flash Player in Office 2010 only, set the kill bit for the ActiveX control for Adobe Flash Player in the registry using the following steps:
To disable all ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, including Adobe Flash Player in Internet Explorer, perform the following steps:
To re-enable ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, perform the following steps:
To raise the browsing security level in Internet Explorer, perform the following steps:
You can help protect against exploitation of these vulnerabilities by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, perform the following steps:
To do this, perform the following steps:
Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| ADV190012 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Adobe Flash Player on Windows 10 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1607 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1607 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1703 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1703 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1709 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1709 for ARM64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1709 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1803 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1803 for ARM64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1803 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1809 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1809 for ARM64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1809 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1903 for 32-bit Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1903 for ARM64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 10 Version 1903 for x64-based Systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 8.1 for 32-bit systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows 8.1 for x64-based systems | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows RT 8.1 | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2012 | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2012 R2 | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2016 | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Adobe Flash Player on Windows Server 2019 | 4497932 (Security Update) | Critical | Remote Code Execution | 4493478 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| ADV190012 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0930 MITRE NVD |
CVE Title: Internet Explorer Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site. The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0930 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4498206 (IE Cumulative) 4499171 (Monthly Rollup) |
Low | Information Disclosure | 4493435 4493451 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Important | Information Disclosure | 4493435 4493472 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Important | Information Disclosure | 4493435 4493472 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Important | Information Disclosure | 4493435 4493446 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Important | Information Disclosure | 4493435 4493446 |
Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Information Disclosure | 4493446 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Low | Information Disclosure | 4493435 4493472 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4498206 (IE Cumulative) | Low | Information Disclosure | 4493435 | Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Low | Information Disclosure | 4493435 4493446 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Low | Information Disclosure | 4493470 | Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Low | Information Disclosure | 4493509 | Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Low | Information Disclosure | 4493471 4493435 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4498206 (IE Cumulative) |
Low | Information Disclosure | 4493471 4493435 |
Base: 2.40 Temporal: 2.20 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0930 | Krishnakant Patil and Siddhant Badhe - Project Srishti |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0931 MITRE NVD |
CVE Title: Windows Storage Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system. To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application. The security update addresses the vulnerability by correcting how the Storage Services handles file operations. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0931 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0931 | k0shl of Qihoo 360 Vulcan Team
https://twitter.com/KeyZ3r0,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0933 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0933 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0933 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| ADV190013 MITRE NVD |
CVE Title: Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
Description: Executive SummaryOn May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling. An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities. These vulnerabilities are known as:
Important: These issues will affect other systems such as Android, Chrome, iOS, Linux, and MacOS. We advise customers seek to guidance from their respective vendors. Microsoft has released software updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services. Microsoft has no information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. Recommended ActionsTo protect your system from these vulnerabilities, Microsoft recommends that you take the following actions, and refer to the subsequent sections for links to further information for your specific situation:
Important Please note that at the release of this advisory, microcode updates are not available for the following versions of Windows. These microcode updates will be released at a later date. Microsoft recommends that customers running these versions of Windows install applicable Windows updates in the meantime:
Microsoft Windows client customersCustomers using Windows client operating systems need to apply both firmware (microcode) and software updates. See Microsoft Knowledge Base Article 4073119 for additional information. Microsoft is making available Intel-validated microcode updates for Windows 10 operating systems. Please see Microsoft Knowledge Base Article 4093836 for the current Intel microcode updates. In addition, customers should check to see if their OEM is providing additional guidance on updates and mitigations. Surface Support Article 4073065 provides more information to Surface customers. Microsoft Windows Server customersCustomers using Windows server operating systems listed in the Affected Products table need to apply firmware (microcode) and software updates as well as to configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds. Microsoft Azure has taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure. More information can be found here. Microsoft cloud customersMicrosoft has already deployed mitigations across our cloud services. More information is available here. Microsoft SQL Server customersIn scenarios running Microsoft SQL Server, customers should follow the guidance outlined in Microsoft Knowledge Base Article 4073225. Microsoft HoloLens customersUpdates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update. After applying the February 2018 Windows Security Update HoloLens customers do not need to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens. Potential performance impactsSpecific performance impact varies by hardware generation and implementation by the chip manufacturer. For most consumer devices, impact on performance may not be noticeable. Some customers may have to disable Hyper-Threading (SMT) to fully address the risk from MDS vulnerabilities. In testing Microsoft has seen some performance impact with these mitigations, in particular when hyperthreading is disabled. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. In some cases, mitigations are not enabled by default to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigations. We continue to work with hardware vendors to improve performance while maintaining a high level of security. ReferencesSee the following for further information from Intel:
FAQ1. When will the firmware updates be available? If you have a non-Microsoft device, we suggest contacting your OEM for this information. 2. Will there be updates for Windows operating systems? Yes. Please see the Security Updates table. 3. I am running Windows Server 2008 for x64-based Systems. Is an update available for my system? At the time of release, an update is not available for Windows Server 2008 for x64-based Systems. When the update is available, customers will be notified through a revision to this advisory. If you wish to be notified when the update is released, Microsoft recommends that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. 4. Where can I find information regarding other speculative side-channel execution vulnerabilities?
FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| ADV190013 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Information Disclosure | 4493475 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Information Disclosure | 4493474 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Information Disclosure | 4493441 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Information Disclosure | 4493472 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Information Disclosure | 4493451 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Information Disclosure | 4493446 |
Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Information Disclosure | 4493470 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Information Disclosure | 4493509 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Information Disclosure | 4493464 | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| ADV190013 | Lei Shi, Qihoo 360 CERT https://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0936 MITRE NVD |
CVE Title: Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Windows when Windows fails to properly handle certain symbolic links. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows handles symbolic links. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0936 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4499151 (Monthly Rollup) | Important | Elevation of Privilege | 4493446 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4499149 (Monthly Rollup) 4499180 (Security Only) |
Important | Elevation of Privilege | 4493471 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4499164 (Monthly Rollup) 4499175 (Security Only) |
Important | Elevation of Privilege | 4493472 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4499158 (Security Only) 4499171 (Monthly Rollup) |
Important | Elevation of Privilege | 4493451 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4499151 (Monthly Rollup) 4499165 (Security Only) |
Important | Elevation of Privilege | 4493446 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0936 | Abian Blome of ClawSec http://www.clawsec.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0937 MITRE NVD |
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0937 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Maybe |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0937 | fluoroacetate (@fluoroacetate) working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0938 MITRE NVD |
CVE Title: Microsoft Edge Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0938 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Important | Elevation of Privilege | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Elevation of Privilege | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Elevation of Privilege | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Elevation of Privilege | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Elevation of Privilege | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Elevation of Privilege | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Elevation of Privilege | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Low | Elevation of Privilege | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Low | Elevation of Privilege | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0938 | Arthur Gerkis of Exodus Intelligence (@ax330d) working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0940 MITRE NVD |
CVE Title: Microsoft Browser Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment. The security update addresses the vulnerability by modifying how Microsoft browsers handle objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0940 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4498206 (IE Cumulative) 4499171 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493451 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Critical | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4499151 (Monthly Rollup) | Critical | Remote Code Execution | 4493446 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4498206 (IE Cumulative) 4499164 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493472 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4498206 (IE Cumulative) | Moderate | Remote Code Execution | 4493435 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4498206 (IE Cumulative) 4499151 (Monthly Rollup) |
Moderate | Remote Code Execution | 4493435 4493446 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for 32-bit Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 for x64-based Systems | 4499154 (Security Update) | Critical | Remote Code Execution | 4493475 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Critical | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Critical | Remote Code Execution | 4493474 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Critical | Remote Code Execution | 4493441 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Critical | Remote Code Execution | 4493464 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Critical | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2016 | 4494440 (Security Update) | Moderate | Remote Code Execution | 4493470 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge on Windows Server 2019 | 4494441 (Security Update) | Moderate | Remote Code Execution | 4493509 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0940 | working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Arthur Gerkis of Exodus Intelligence (@ax330d) working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0949 MITRE NVD |
CVE Title: Microsoft SharePoint Spoofing Vulnerability
Description: A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0949 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 4464549 (Security Update) | Important | Spoofing | 4464510 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Spoofing | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0949 | Ashar Javed of Hyundai AutoEver Europe GmbH https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0950 MITRE NVD |
CVE Title: Microsoft SharePoint Spoofing Vulnerability
Description: A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0950 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 4464549 (Security Update) | Important | Spoofing | 4464510 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Spoofing | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0950 | Ashar Javed of Hyundai AutoEver Europe GmbH https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0951 MITRE NVD |
CVE Title: Microsoft SharePoint Spoofing Vulnerability
Description: A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0951 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Foundation 2010 Service Pack 2 | 4464573 (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Spoofing | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0951 | Nikola Kojić Ras-IT, Belgrade https://ras-it.rs/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0952 MITRE NVD |
CVE Title: Microsoft SharePoint Server Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server. The security update addresses the vulnerability by correcting how Microsoft SharePoint Server handles processing of created content. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0952 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 4464549 (Security Update) | Important | Remote Code Execution | 4464510 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4464564 (Security Update) | Important | Remote Code Execution | 4464515 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0952 | Ivan Vagunin, https://twitter.com/ivagunin |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0953 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory. FAQ: Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0953 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2016 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office Online Server | 4462169 (Security Update) | Critical | Remote Code Execution | 4461633 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 4464536 (Security Update) | Critical | Remote Code Execution | 4461543 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 4464536 (Security Update) | Critical | Remote Code Execution | 4461543 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-0953 | Zhong Zhaochen of andsecurity.cn http://andsecurity.cn Anonymous, working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0976 MITRE NVD |
CVE Title: NuGet Package Manager Tampering Vulnerability
Description: A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac that could allow an authenticated attacker to modify contents of the intermediate build folder (by default “obj”). An attacker who successfully exploited this vulnerability could potentially modify files and folders that impact binaries created as part of building a project. To exploit this vulnerability, an attacker would need to log on to the affected system and tamper with the intermediate build folder which may impact the output of future builds of that project. The security update addresses the vulnerability by correcting permissions on the intermediate build folder. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0976 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Nuget 5.0.2 | Release Notes (Security Update) | Important | Tampering | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0976 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0979 MITRE NVD |
CVE Title: Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
Description: A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Server and Team Foundation Server do not properly sanitize user provided input. An authenticated attacker could exploit the vulnerability by sending a specially crafted payload to an Azure DevOps server or a Team Foundation server, which will get executed in the context of the user every time a user visits the compromised page. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content. The security update addresses the vulnerability by ensuring that Azure DevOps Server and Team Foundation Server properly sanitize user inputs. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0979 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure DevOps Server 2019 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2017 Update 3.1 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2018 Update 1.2 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Team Foundation Server 2018 Update 3.2 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-0979 | Suresh C https://plus.google.com/109511353019526855573 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0995 MITRE NVD |
CVE Title: Internet Explorer Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when urlmon.dll improperly handles certain Mark of the Web queries. The vulnerability allows Internet Explorer to bypass Mark of the Web warnings or restrictions for files downloaded or created in a specific way. In a web-based attack scenario, an attacker would need to host a malicious file that is designed to exploit the vulnerability and then convince a user to download the malicious file and then open the file in Internet Explorer. The security update addresses the vulnerability by modifying how urlmon.dll handles Mark of the Web queries. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0995 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4494440 (Security Update) | Important | Security Feature Bypass | 4493470 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4494440 (Security Update) | Important | Security Feature Bypass | 4493470 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | 4499181 (Security Update) | Important | Security Feature Bypass | 4493474 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | 4499181 (Security Update) | Important | Security Feature Bypass | 4493474 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4499179 (Security Update) | Important | Security Feature Bypass | 4493441 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4499179 (Security Update) | Important | Security Feature Bypass | 4493441 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4499179 (Security Update) | Important | Security Feature Bypass | 4493441 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4499167 (Security Update) | Important | Security Feature Bypass | 4493464 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4494441 (Security Update) | Important | Security Feature Bypass | 4493509 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4497936 (Security Update) | Important | Security Feature Bypass | None | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4494440 (Security Update) | Low | Security Feature Bypass | 4493470 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4494441 (Security Update) | Low | Security Feature Bypass | 4493509 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0995 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1000 MITRE NVD |
CVE Title: Microsoft Azure AD Connect Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Azure Active Directory Connect build 1.3.20.0, which allows an attacker to execute two PowerShell cmdlets in context of a privileged account, and perform privileged actions. To exploit this, an attacker would need to authenticate to the Azure AD Connect server. These cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server. This security update address the issue by disabling these cmdlets. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1000 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Azure Active Directory Connect | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1000 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1008 MITRE NVD |
CVE Title: Microsoft Dynamics On-Premise Security Feature Bypass
Description: A security feature bypass vulnerability exists in Dynamics On Premise. An attacker who exploited the vulnerability could send attachment types that are blocked by the email attachment system. To exploit the vulnerability, an attacker would need to capture and edit the POST request to include a special character in the extension. The update addresses the vulnerability by blocking files with the special character in the file extension. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-05-14T07:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1008 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Dynamics 365 (on-premises) version 8.2 | 4494412 (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Dynamics 365 (on-premises) version 9.0 | 4498363 (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Dynamics CRM 2015 (on-premises) version 7.0 | 4499386 (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1008 | Adam Willard https://www.aswsec.com |