Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

Why is this Chrome CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

How can I see the version of the browser?

1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2. Click on Help and Feedback
3. Click on About Microsoft Edge

What is the version information for this release?

Information published.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A victim user would have to click the stored XSS payload injected by the attacker to be compromised.

How can I update my Service Fabric Cluster to the latest version?

If you have automatic updates, no action is needed. However, for those who choose to manually update, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

How could an attacker exploit this vulnerability?

An authorized attacker could exploit the Windows Bluetooth driver vulnerability by programmatically running certain functions that could lead to elevation of privilege on the Bluetooth component.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

See Manage Updates Baselines Microsoft Defender Antivirus for more information.

Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue?

Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state.

Why is no action required to install this update?

In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment.

How often are the Microsoft Malware Protection Engine and malware definitions updated?

Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed.

Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time.

What is the Microsoft Malware Protection Engine?

The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.

Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default?

Defender runs on all supported version of Windows.

Are there other products that use the Microsoft Malware Protection Engine?

Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials.

Does this update contain any additional security-related changes to functionality?

Yes.  In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features.

Suggested Actions

Verify that the update is installed

Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products.

1. Open the Windows Security program. For example, type Security in the Search bar, and select the Windows Security program.
2. In the navigation pane, select Virus & threat protection.
3. Under Virus & threat protection updates in the main window, select Check for updates
4. Select Check for updates again.
5. In the navigation pane, select Settings, and then select About.
6. Examine the Engine Version number. The update was successfully installed if the Malware Protection Engine version number or the signature package version number matches or exceeds the version number that you are trying to verify as installed.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) but have major impact on integrity (I:H) and on availability (A:H). What does that mean for this vulnerability?

This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.

Information published.

According to the CVSS metric, the attack vector is local (AV:L) and user interaction is required (UI:R), what does that mean for this vulnerability?

The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to click on a local file path link or download and run a malicious application or file.

What is the nature of the spoofing?

An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.

Information published.

How could an attacker exploit this vulnerability?

In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could view heap memory from a privileged process running on the server.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The user would need to access the URL of the malicious website, which could spoof the content of a legitimate website, and then click a popup displayed on that site.

I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?

No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following:

• Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update
• Both of the security updates (sts2013 AND *loc2013), which are the same updates as for Foundation Server 2013

Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.

I am running SharePoint Foundation 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Foundation 2013 Service Pack 1 ?

Yes, customers running SharePoint Foundation 2013 Service Pack 1 should install both of the security updates. The updates can be installed in any order.

According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?

The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.

Information published.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

How could an attacker exploit this vulnerability?

The attacker could exploit this vulnerability by convincing a victim to open a specially crafted XLSX file which when opened would cause a denial-of-service condition for other processes running on that machine.

Information published.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.

Is the Preview Pane an attack vector for this vulnerability?

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.

How could an attacker exploit this vulnerability?

External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.

Where can I find more information about NTLM relay attacks?

Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.

Information published.