Microsoft CVE Summary

This report contains detail for the following vulnerabilities:

Tag CVE ID CVE Title
Adobe Flash Player ADV190015 June 2019 Adobe Flash Security Update
Kerberos CVE-2019-0972 Local Security Authority Subsystem Service Denial of Service Vulnerability
Microsoft Browsers CVE-2019-1081 Microsoft Browser Information Disclosure Vulnerability
Microsoft Browsers CVE-2019-1038 Microsoft Browser Memory Corruption Vulnerability
Microsoft Devices ADV190017 Microsoft HoloLens Remote Code Execution Vulnerabilities
Microsoft Devices ADV190016 Bluetooth Low Energy Advisory
Microsoft Edge CVE-2019-1054 Microsoft Edge Security Feature Bypass Vulnerability
Microsoft Exchange Server ADV190018 Microsoft Exchange Server Defense in Depth Update
Microsoft Graphics Component CVE-2019-1018 DirectX Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2019-1047 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1046 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1013 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1015 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1016 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1048 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-0977 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-0960 Win32k Elevation of Privilege Vulnerability
Microsoft Graphics Component CVE-2019-0968 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1049 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1050 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-0985 Microsoft Speech API Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2019-1010 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1009 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1011 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1012 Windows GDI Information Disclosure Vulnerability
Microsoft JET Database Engine CVE-2019-0905 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0974 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0904 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0906 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0908 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0909 Jet Database Engine Remote Code Execution Vulnerability
Microsoft JET Database Engine CVE-2019-0907 Jet Database Engine Remote Code Execution Vulnerability
Microsoft Office CVE-2019-1035 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office CVE-2019-1034 Microsoft Word Remote Code Execution Vulnerability
Microsoft Office SharePoint CVE-2019-1032 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2019-1036 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2019-1031 Microsoft Office SharePoint XSS Vulnerability
Microsoft Office SharePoint CVE-2019-1033 Microsoft Office SharePoint XSS Vulnerability
Microsoft Scripting Engine CVE-2019-1002 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0991 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1080 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1023 Scripting Engine Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2019-0993 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0992 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1024 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0990 Scripting Engine Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2019-0988 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0989 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1055 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1052 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1051 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-0920 Scripting Engine Memory Corruption Vulnerability
Microsoft Scripting Engine CVE-2019-1003 Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Windows CVE-2019-1069 Task Scheduler Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1064 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0888 ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-1025 Windows Denial of Service Vulnerability
Microsoft Windows CVE-2019-1045 Windows Network File System Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1043 Comctl32 Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-0710 Windows Hyper-V Denial of Service Vulnerability
Microsoft Windows CVE-2019-0709 Windows Hyper-V Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-0722 Windows Hyper-V Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-0943 Windows ALPC Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0713 Windows Hyper-V Denial of Service Vulnerability
Microsoft Windows CVE-2019-0983 Windows Storage Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0984 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0711 Windows Hyper-V Denial of Service Vulnerability
Microsoft Windows CVE-2019-0948 Windows Event Viewer Information Disclosure Vulnerability
Microsoft Windows CVE-2019-0959 Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-0998 Windows Storage Service Elevation of Privilege Vulnerability
Servicing Stack Updates ADV990001 Latest Servicing Stack Updates
Skype for Business and Microsoft Lync CVE-2019-1029 Skype for Business and Lync Server Denial of Service Vulnerability
Team Foundation Server CVE-2019-0996 Azure DevOps Server Spoofing Vulnerability
VBScript CVE-2019-1005 Scripting Engine Memory Corruption Vulnerability
Windows Authentication Methods CVE-2019-1040 Windows NTLM Tampering Vulnerability
Windows Hyper-V CVE-2019-0620 Windows Hyper-V Remote Code Execution Vulnerability
Windows IIS CVE-2019-0941 Microsoft IIS Server Denial of Service Vulnerability
Windows Installer CVE-2019-0973 Windows Installer Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1044 Windows Secure Kernel Mode Security Feature Bypass Vulnerability
Windows Kernel CVE-2019-1014 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1017 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1065 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1041 Windows Kernel Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1039 Windows Kernel Information Disclosure Vulnerability
Windows Media CVE-2019-1026 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1007 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1027 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1022 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1021 Windows Audio Service Elevation of Privilege Vulnerability
Windows Media CVE-2019-1028 Windows Audio Service Elevation of Privilege Vulnerability
Windows NTLM CVE-2019-1019 Microsoft Windows Security Feature Bypass Vulnerability
Windows Shell CVE-2019-0986 Windows User Profile Service Elevation of Privilege Vulnerability
Windows Shell CVE-2019-1053 Windows Shell Elevation of Privilege Vulnerability

CVE-2019-0888 - ActiveX Data Objects (ADO) Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0888
MITRE
NVD
CVE Title: ActiveX Data Objects (ADO) Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with the victim user’s privileges.

An attacker could craft a website that exploits the vulnerability and then convince a victim user to visit the website.

The security update addresses the vulnerability by modifying how ActiveX Data Objects handle objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0888
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Critical Remote Code Execution
4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Critical Remote Code Execution 4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Critical Remote Code Execution 4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Critical Remote Code Execution
4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Critical Remote Code Execution 4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Critical Remote Code Execution 4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Critical Remote Code Execution
4499171
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Critical Remote Code Execution
4499171
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0888 Yaniv Frank of SophosLabs
https://www.sophos.com/en-us/labs.aspx


CVE-2019-0904 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0904
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0904
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0904 Keqi Hu and zhangjie from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.


CVE-2019-0905 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0905
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0905
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0905 Keqi Hu and zhangjie from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.


CVE-2019-0906 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0906
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0906
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0906 Keqi Hu and zhangjie from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.


CVE-2019-0907 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0907
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0907
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0907 Keqi Hu and zhangjie from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.


CVE-2019-0908 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0908
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0908
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0908 rgod of 9sg Security Team - rgod@9sgsec.com working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-0909 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0909
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0909
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0909 Gal De Leon and Bar Lahav of Palo Alto Networks
https://www.paloaltonetworks.com/


CVE-2019-0941 - Microsoft IIS Server Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0941
MITRE
NVD
CVE Title: Microsoft IIS Server Denial of Service Vulnerability
Description:

A denial of service exists in Microsoft IIS Server when the optional request filtering feature improperly handles requests. An attacker who successfully exploited this vulnerability could perform a temporary denial of service against pages configured to use request filtering.

To exploit this vulnerability, an attacker could send a specially crafted request to a page utilizing request filtering.

The update addresses the vulnerability by changing the way certain requests are processed by the filter.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0941
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Denial of Service
4499151
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Denial of Service 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Denial of Service
4499149
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Denial of Service 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Denial of Service 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Denial of Service 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Denial of Service 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Denial of Service 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Denial of Service 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0941 Hoai Viet Nguyen of Data & Application Security Group of TH Köln
https://das.th-koeln.de/


CVE-2019-0943 - Windows ALPC Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0943
MITRE
NVD
CVE Title: Windows ALPC Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).

An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.

The update addresses the vulnerability by correcting how Windows handles calls to ALPC.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0943
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0943 James Forshaw of Google Project Zero
http://www.google.com/


CVE-2019-0948 - Windows Event Viewer Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0948
MITRE
NVD
CVE Title: Windows Event Viewer Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.

To exploit the vulnerability, an attacker could create a file containing specially crafted XML content and convince an authenticated user to import the file.

The update addresses the vulnerability by modifying the way that the Event Viewer parses XML input.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from file system.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Moderate Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0948
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Moderate Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Moderate Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Moderate Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Moderate Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Moderate Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Moderate Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Moderate Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Moderate Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Moderate Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Moderate Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Moderate Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Moderate Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Moderate Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Moderate Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Moderate Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Moderate Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Moderate Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Moderate Information Disclosure
4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Moderate Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Moderate Information Disclosure 4499151 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Moderate Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Moderate Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Moderate Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Moderate Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Moderate Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Moderate Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Moderate Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Moderate Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Moderate Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Moderate Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Moderate Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Moderate Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Moderate Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Moderate Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Moderate Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Moderate Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0948 Eran Vaknin, Alon Boxiner, Oded Vanunu
https://il.linkedin.com/in/eran-vaknin,https://il.linkedin.com/in/alon-boxiner-a1a713b4,https://il.linkedin.com/in/oded-vanunu-a131283


CVE-2019-0959 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0959
MITRE
NVD
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

The security update addresses the vulnerability by correcting how CLFS handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0959
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0959 James Forshaw of Google Project Zero
http://www.google.com/


CVE-2019-0972 - Local Security Authority Subsystem Service Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0972
MITRE
NVD
CVE Title: Local Security Authority Subsystem Service Denial of Service Vulnerability
Description:

This security update corrects a denial of service in the Local Security Authority Subsystem Service (LSASS) caused when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system.

The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0972
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Denial of Service
4499151
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Denial of Service 4499151 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Denial of Service
4499149
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2016 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2019 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.60
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0972 Danyal Drew of The Missing Link
https://www.themissinglink.com.au/


CVE-2019-0973 - Windows Installer Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0973
MITRE
NVD
CVE Title: Windows Installer Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior.

A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable Yes No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0973
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0973 None

CVE-2019-0974 - Jet Database Engine Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0974
MITRE
NVD
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system.

An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file.

The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.


FAQ:

Are Active Directory and Exchange Server affected by this vulnerability? No, Active Directory and Exchange Server are not affected.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0974
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0974 Shih-Fong Peng (@_L4ys) of Team T5
https://twitter.com/_L4ys,https://teamt5.org


CVE-2019-0984 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0984
MITRE
NVD
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

The security update addresses the vulnerability by correcting how CLFS handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0984
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0984 pgboy
http://weibo.com/pgboy1988


CVE-2019-0988 - Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0988
MITRE
NVD
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0988
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499171
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Moderate Remote Code Execution 4498206 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503276 (Monthly Rollup) Moderate Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0988 Yuki Chen of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-0989 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0989
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0989
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0989 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


CVE-2019-1009 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1009
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1009
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1009 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1010 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1010
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1010
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Information Disclosure
4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Information Disclosure 4499151 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1010 Kamlapati Choubey of Trend Micro


CVE-2019-1011 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1011
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1011
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1011 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1012 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1012
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1012
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Information Disclosure
4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Information Disclosure 4499151 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1012 Sooraj K S (@soorajks) working with Trend Micro's Zero Day Initiative
https://twitter.com/soorajks,https://www.zerodayinitiative.com/


CVE-2019-1013 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1013
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1013
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1013 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1014 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1014
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1014
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1014 Omri Herscovici of Check Point
https://www.checkpoint.com/


CVE-2019-1015 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1015
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1015
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1015 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1016 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1016
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1016
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1016 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1017 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1017
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1017
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1017 pgboy of Qihoo 360 Vulcan Team
https://weibo.com/pgboy1988,https://www.360.cn/


CVE-2019-1018 - DirectX Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1018
MITRE
NVD
CVE Title: DirectX Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses the vulnerability by correcting how DirectX handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1018
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1018 Rohit Mothe of iDefense Labs


CVE-2019-1029 - Skype for Business and Lync Server Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1029
MITRE
NVD
CVE Title: Skype for Business and Lync Server Denial of Service Vulnerability
Description:

A denial of service vulnerability exists in Skype for Business. An attacker who successfully exploited the vulnerability could cause Skype for Business to stop responding. Note that the denial of service would not allow an attacker to execute code or to elevate the attacker's user rights.

To exploit the vulnerability, an attacker needs to obtain a dial-in link for a vulnerable server and then initiates a series of calls within a short amount of time.

The update addresses the vulnerability by correcting the way that Skype for Business server handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1029
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Lync Server 2010 4506009 (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Lync Server 2013 4506009 (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1029 None

CVE-2019-1036 - Microsoft Office SharePoint XSS Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1036
MITRE
NVD
CVE Title: Microsoft Office SharePoint XSS Vulnerability
Description:

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1036
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Project Server 2010 Service Pack 2 4092442 (Security Update) Important Spoofing 4022210 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Enterprise Server 2016 4464594 (Security Update) Important Spoofing 4464549 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Foundation 2013 Service Pack 1 4464602 (Security Update) Important Spoofing 4464564 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2019 4475512 (Security Update) Important Spoofing 4464556 Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1036 Ashar Javed of Hyundai AutoEver Europe GmbH
https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/


CVE-2019-1046 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1046
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1046
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Information Disclosure
4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Information Disclosure 4499151 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1046 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1047 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1047
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1047
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1047 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1048 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1048
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1048
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1048 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1049 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1049
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1049
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1049 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1050 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1050
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1050
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Information Disclosure
4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Information Disclosure 4499151 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1050 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1054 - Microsoft Edge Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1054
MITRE
NVD
CVE Title: Microsoft Edge Security Feature Bypass Vulnerability
Description:

A security feature bypass vulnerability exists in Edge that allows for bypassing Mark of the Web Tagging (MOTW). Failing to set the MOTW means that a large number of Microsoft security technologies are bypassed.

In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass. Alternatively, in an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass. Additionally, compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass. However, in all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment.

The security update addresses the security feature bypass by correcting how Edge handles MOTW tagging.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1054
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Security Feature Bypass 4494440 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Security Feature Bypass 4494440 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Security Feature Bypass 4499181 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Security Feature Bypass 4499181 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Security Feature Bypass 4499179 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Security Feature Bypass 4499179 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Security Feature Bypass 4499179 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Low Security Feature Bypass 4494440 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Low Security Feature Bypass 4494441 Base: 5.00
Temporal: 4.50
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1054 None

CVE-2019-1055 - Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1055
MITRE
NVD
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1055
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499171
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499164
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Moderate Remote Code Execution 4498206 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499151
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499149
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 4503287 (Security Only)
4503259 (IE Cumulative)
Moderate Remote Code Execution
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1055 Yuki Chen of Qihoo 360 Vulcan Team
http://www.360.com/


ADV190018 - Microsoft Exchange Server Defense in Depth Update

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
ADV190018
MITRE
NVD
CVE Title: Microsoft Exchange Server Defense in Depth Update
Description:

Microsoft has released an update for Microsoft Exchange Server that provides enhanced security as a defense in depth measure.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Unknown Defense in Depth

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

ADV190018
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Exchange Server 2010 Service Pack 3 4503028 (Security Update) Unknown Defense in Depth 4491413 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Exchange Server 2013 Cumulative Update 22 4503028 (Security Update) Unknown Defense in Depth 4487563 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Exchange Server 2016 Cumulative Update 11 4503027 (Security Update) Unknown Defense in Depth 4487563 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Exchange Server 2016 Cumulative Update 12 4503027 (Security Update) Unknown Defense in Depth 4487563 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Exchange Server 2019 4503027 (Security Update) Unknown Defense in Depth 4487563 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Exchange Server 2019 Cumulative Update 1 4503027 (Security Update) Unknown Defense in Depth 4487563 Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
ADV190018 Nicolas Joly of Microsoft Corporation
https://twitter.com/n_joly


ADV990001 - Latest Servicing Stack Updates

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
ADV990001
MITRE
NVD
CVE Title: Latest Servicing Stack Updates
Description:

This is a list of the latest servicing stack updates for each operating sytem. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.


FAQ:

1. Why are all of the Servicing Stack Updates (SSU) critical updates?

The SSUs are classified as Critical updates. This does not indicate that there is a critical vulnerability being addressed in the update.

2. When was the most recent SSU released for each version of Microsoft Windows?

Please refer to the following table for the most recent SSU release. We will update the entries any time a new SSU is released:

Product SSU Package Date Released
Windows Server 2008 4493730 April 2019
Windows 7/Server 2008 R2 4490628 March 2019
Windows Server 2012 3173426 July 2016
Windows 8.1/Server 2012 R2 3173424 July 2016
Windows 10 4498353 May 2019
Windows 10 Version 1607/Server 2016 4503537 June 2019
Windows 10 Version 1703 4500640 May 2019
Windows 10 1709/Windows Server, version 1709 4500641 May 2019
Windows 10 1803/Windows Server, version 1803 4497398 May 2019
Windows 10 1809/Server 2019 4504369 June 2019
Windows 10 1903/Windows Server, version 1903 4500109 May 2019


Mitigations:
None
Workarounds:
None
Revision:
5.0    2019-02-12T08:00:00    

A Servicing Stack Update has been released for Windows 10 Version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation); Windows 10 Version 1703; Windows 10 Version 1709 and Windows Server, version 1709 (Server Core Installation); Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information.


3.2    2018-12-12T08:00:00    

Fixed a typo in the FAQ.


5.2    2019-02-14T08:00:00    

In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1803 for x64-based Systems to 4485449. This is an informational change only.


3.1    2018-12-11T08:00:00    

Updated supersedence information. This is an informational change only.


5.1    2019-02-13T08:00:00    

In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1809 for x64-based Systems to 4470788. This is an informational change only.


1.2    2018-12-03T08:00:00    

FAQs have been added to further explain Security Stack Updates. The FAQs include a table that indicates the most recent SSU release for each Windows version. This is an informational change only.


9.0    2019-06-11T07:00:00    

A Servicing Stack Update has been released for Windows 10 version 1607, Windows Server 2016, Windows 10 version 1809, and Windows Server 2019. See the FAQ section for more information.


1.1    2018-11-14T08:00:00    

Corrected the link to the Windows Server 2008 Servicing Stack Update. This is an informational change only.


7.0    2019-04-09T07:00:00    

A Servicing Stack Update has been released for Windows Server 2008 and Windows Server 2008 (Server Core installation); Windows 10 version 1809, Windows Server 2019, and Windows Server 2019 (Server Core installation). See the FAQ section for more information.


8.0    2019-05-14T07:00:00    

A Servicing Stack Update has been released for Windows 10 version 1507, Windows 10 version 1607, Windows Server 2016, Windows 10 version 1703, Windows 10 version 1709, Windows Server, version 1709, Windows 10 version 1803, Windows Server, version 1803, Windows 10 version 1809, Windows Server 2019, Windows 10 version 1809 and Windows Server, version 1809. See the FAQ section for more information.


3.0    2018-12-11T08:00:00    

A Servicing Stack Update has been released for Windows 10 Version 1709, Windows Server, version 1709 (Server Core Installation), Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information.


2.0    2018-12-05T08:00:00    

A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information.


1.0    2018-11-13T08:00:00    

Information published.


4.0    2019-01-08T08:00:00    

A Servicing Stack Update has been released for Windows 10 Version 1703. See the FAQ section for more information.


6.0    2019-03-12T07:00:00    

A Servicing Stack Update has been released for Windows 7 and Windows Server 2008 R2 and Windows Server 2008 R2 (Server Core installation). See the FAQ section for more information.


Critical Defense in Depth

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

ADV990001
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4498353 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 for x64-based Systems 4498353 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1607 for 32-bit Systems 4503537 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1607 for x64-based Systems 4503537 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1703 for 32-bit Systems 4500640 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1703 for x64-based Systems 4500640 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1709 for 32-bit Systems 4500641 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1709 for ARM64-based Systems 4500641 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1709 for x64-based Systems 4500641 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for 32-bit Systems 4497398 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for ARM64-based Systems 4497398 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for x64-based Systems 4497398 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1809 for 32-bit Systems 4504369 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1809 for ARM64-based Systems 4504369 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1809 for x64-based Systems 4504369 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for 32-bit Systems 4500109 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for ARM64-based Systems 4500109 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for x64-based Systems 4500109 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 7 for 32-bit Systems Service Pack 1 4490628 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 7 for x64-based Systems Service Pack 1 4490628 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 8.1 for 32-bit systems 3173424 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 8.1 for x64-based systems 3173424 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4493730 (Servicing Stack Update) Critical Defense in Depth 955430 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4493730 (Servicing Stack Update) Critical Defense in Depth 955430 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4493730 (Servicing Stack Update) Critical Defense in Depth 955430 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4493730 (Servicing Stack Update) Critical Defense in Depth 955430 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4493730 (Servicing Stack Update) Critical Defense in Depth 955430 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4490628 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4490628 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4490628 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 3173426 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 (Server Core installation) 3173426 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 R2 3173424 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 R2 (Server Core installation) 3173424 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2016 4503537 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2016 (Server Core installation) 4503537 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2019 4504369 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2019 (Server Core installation) 4504369 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server, version 1803 (Server Core Installation) 4497398 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server, version 1903 (Server Core installation) 4500109 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
Yes

Acknowledgements

CVE ID Acknowledgements
ADV990001 None

CVE-2019-0620 - Windows Hyper-V Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0620
MITRE
NVD
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0620
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Critical Remote Code Execution
4499171
Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Critical Remote Code Execution
4499171
Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0620 HongZhenhao of IceSword Lab, Qihoo 360


CVE-2019-0709 - Windows Hyper-V Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0709
MITRE
NVD
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0709
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.60
Temporal: 6.80
Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0709 Joe Bialek (@JosephBialek), MSRC Vulnerabilities and Mitigations Team
https://twitter.com/JosephBialek


CVE-2019-0710 - Windows Hyper-V Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0710
MITRE
NVD
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description:

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.

To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.

The security update addresses the vulnerability by resolving a number of conditions where Hyper-V would fail to prevent a guest operating system from sending malicious requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0710
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Denial of Service 4499151 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0710 Joe Bialek (@JosephBialek), MSRC Vulnerabilities and Mitigations Team
https://twitter.com/JosephBialek


CVE-2019-0711 - Windows Hyper-V Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0711
MITRE
NVD
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description:

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.

To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.

The security update addresses the vulnerability by resolving a number of conditions where Hyper-V would fail to prevent a guest operating system from sending malicious requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0711
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Denial of Service 4499151 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0711 Joe Bialek (@JosephBialek), MSRC Vulnerabilities and Mitigations Team
https://twitter.com/JosephBialek


CVE-2019-0713 - Windows Hyper-V Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0713
MITRE
NVD
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description:

A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash.

To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.

The security update addresses the vulnerability by resolving a number of conditions where Hyper-V would fail to prevent a guest operating system from sending malicious requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0713
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Denial of Service 4499151 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Denial of Service
4499149
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.80
Temporal: 6.10
Vector: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0713 Hyper-V Development Team


CVE-2019-0722 - Windows Hyper-V Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0722
MITRE
NVD
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0722
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Critical Remote Code Execution
4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Critical Remote Code Execution 4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Critical Remote Code Execution 4499149
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Critical Remote Code Execution
4499171
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Critical Remote Code Execution
4499171
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Critical Remote Code Execution 4499151
Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 8.80
Temporal: 7.90
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0722 Joe Bialek (@JosephBialek), MSRC Vulnerabilities and Mitigations Team Anonymous finder
https://twitter.com/JosephBialek


CVE-2019-0920 - Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0920
MITRE
NVD
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0920
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499171
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499164
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Moderate Remote Code Execution 4498206 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503276 (Monthly Rollup) Moderate Remote Code Execution 4499151 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup) Moderate Remote Code Execution 4499149 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499149
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0920 Yuki Chen of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-0960 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0960
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0960
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0960 Yanmin Ji from Skylar Team of Legendsec at Qi'anxin Group


CVE-2019-0968 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0968
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0968
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0968 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-0977 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0977
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0977
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 4.70
Temporal: 4.20
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0977 kdot working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-0983 - Windows Storage Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0983
MITRE
NVD
CVE Title: Windows Storage Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system.

To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application.

The security update addresses the vulnerability by correcting how the Storage Services handles file operations.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0983
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0983 k0shl of Qihoo 360 Vulcan Team


CVE-2019-0985 - Microsoft Speech API Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0985
MITRE
NVD
CVE Title: Microsoft Speech API Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Microsoft Speech API (SAPI) improperly handles text-to-speech (TTS) input. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user.

To exploit the vulnerability, an attacker would need to convince a user to open a specially crafted document containing TTS content invoked through a scripting language.

The update address the vulnerability by modifying how the system handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0985
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Critical Remote Code Execution
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0985 Ke Liu of Tencent Security Xuanwu Lab


CVE-2019-0986 - Windows User Profile Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0986
MITRE
NVD
CVE Title: Windows User Profile Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks. An attacker who successfully exploited this vulnerability could delete files and folders in an elevated context.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and delete files or folders of their choosing.

The security update addresses the vulnerability by correcting how the Windows User Profile Service handles symlinks.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0986
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0986 Chris Danieli
https://www.linkedin.com/in/chrisdanieli


CVE-2019-0990 - Scripting Engine Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0990
MITRE
NVD
CVE Title: Scripting Engine Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

In a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site.

The security update addresses the vulnerability by changing how the scripting engine handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0990
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Information Disclosure None Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Information Disclosure 4499154 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Information Disclosure 4499154 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Information Disclosure 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Information Disclosure 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Information Disclosure 4499181 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Information Disclosure 4499181 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Information Disclosure 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Information Disclosure 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Information Disclosure 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Information Disclosure 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Information Disclosure 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Information Disclosure 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Information Disclosure 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Information Disclosure 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Information Disclosure 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Information Disclosure 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0990 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


MoonLiang of Tencent Security Xuanwu Lab
https://xlab.tencent.com/


CVE-2019-0991 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0991
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0991
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0991 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


CVE-2019-0992 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0992
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0992
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0992 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


CVE-2019-0993 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0993
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Moderate Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0993
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0993 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


CVE-2019-0996 - Azure DevOps Server Spoofing Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0996
MITRE
NVD
CVE Title: Azure DevOps Server Spoofing Vulnerability
Description:

A spoofing vulnerability exists in Azure DevOps Server when it improperly handles requests to authorize applications, resulting in a cross-site request forgery. An attacker who successfully exploited this vulnerability could bypass OAuth protections and register an application on behalf of the targeted user.

To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request. The attacker would then need to convince a targeted user to click a link to the malicious page.

The update addresses the vulnerability by modifying how Azure DevOps Server protects application registration requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0996
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Azure DevOps Server 2019 Release Notes (Security Update) Important Spoofing None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0996 Terry Zhang (@pnig0s) of Tophant
https://twitter.com/pnig0s


CVE-2019-0998 - Windows Storage Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-0998
MITRE
NVD
CVE Title: Windows Storage Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Storage Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges on the victim system.

To exploit the vulnerability, an attacker would first have to gain execution on the victim system, then run a specially crafted application.

The security update addresses the vulnerability by correcting how the Storage Services handles file operations.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-0998
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-0998 k0shl of Qihoo 360 Vulcan Team


CVE-2019-1002 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1002
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1002
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1002 Yuki Chen of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1003 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1003
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1003
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1003 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


Yuki Chen of Qihoo 360 Vulcan Team
http://www.360.com/


Liu Long of Qihoo 360 Vulcan Team


MoonLiang of Tencent Security Xuanwu Lab
https://xlab.tencent.com/


CVE-2019-1005 - Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1005
MITRE
NVD
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Low Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1005
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Low Remote Code Execution 4499171
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Important Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Important Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Important Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Important Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Low Remote Code Execution 4499164
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Low Remote Code Execution 4498206 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503276 (Monthly Rollup) Low Remote Code Execution 4499151 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Low Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Low Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Low Remote Code Execution 4499149
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Low Remote Code Execution 4499149
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1005 Yuki Chen of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1007 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1007
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.

The update addresses the vulnerability by correcting how the Windows Audio Service handles processes these requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1007
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1007 zhong_sf of Qihoo 360 Vulcan Team
http://www.360.com/


pgboy of Qihoo 360 Vulcan Team
https://weibo.com/pgboy1988,https://www.360.cn/


CVE-2019-1019 - Microsoft Windows Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1019
MITRE
NVD
CVE Title: Microsoft Windows Security Feature Bypass Vulnerability
Description:

A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages.

To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could access another machine using the original user privileges.

The issue has been addressed by changing how NTLM validates network authentication messages.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1019
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Security Feature Bypass 4499154 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Security Feature Bypass 4499154 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Security Feature Bypass 4494440 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Security Feature Bypass 4494440 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Security Feature Bypass 4499181 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Security Feature Bypass 4499181 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Security Feature Bypass 4499179 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Security Feature Bypass 4499179 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Security Feature Bypass 4499179 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Security Feature Bypass
4499164
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Security Feature Bypass
4499164
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Security Feature Bypass
4499151
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Security Feature Bypass 4499151
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Security Feature Bypass 4499151 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Security Feature Bypass 4499149
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Security Feature Bypass 4499149
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Security Feature Bypass
4499149
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Security Feature Bypass 4499149
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Security Feature Bypass 4499149
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Security Feature Bypass
4499164
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Security Feature Bypass
4499164
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Security Feature Bypass
4499164
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Security Feature Bypass
4499171
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Security Feature Bypass
4499171
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Security Feature Bypass 4499151
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Security Feature Bypass 4499151
Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Security Feature Bypass 4494440 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Security Feature Bypass 4494440 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Security Feature Bypass 4499167 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Security Feature Bypass 4497936 Base: 8.50
Temporal: 7.60
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1019 Sergei Glazunov of Google Project Zero


https://www.preempt.com/


CVE-2019-1021 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1021
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.

The update addresses the vulnerability by correcting how the Windows Audio Service handles processes these requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1021
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1021 zhong_sf of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1022 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1022
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.

The update addresses the vulnerability by correcting how the Windows Audio Service handles processes these requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1022
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1022 zhong_sf of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1023 - Scripting Engine Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1023
MITRE
NVD
CVE Title: Scripting Engine Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

In a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site.

The security update addresses the vulnerability by changing how the scripting engine handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1023
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Information Disclosure None Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Information Disclosure 4499154 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Information Disclosure 4499154 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Information Disclosure 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Information Disclosure 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Information Disclosure 4499181 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Information Disclosure 4499181 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Information Disclosure 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Information Disclosure 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Information Disclosure 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Information Disclosure 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Information Disclosure 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Information Disclosure 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Information Disclosure 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Information Disclosure 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Information Disclosure 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Information Disclosure 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Information Disclosure 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1023 lowkey lin of r3kapig


CVE-2019-1024 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1024
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1024
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1024 exp-sky (Kai Song) of Tencent Security Xuanwu Lab
https://xlab.tencent.com/


MoonLiang of Tencent Security Xuanwu Lab
https://xlab.tencent.com/


CVE-2019-1025 - Windows Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1025
MITRE
NVD
CVE Title: Windows Denial of Service Vulnerability
Description:

A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or to convince a user to open a specific file on a network share. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding.

The update addresses the vulnerability by correcting how Windows handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1025
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Denial of Service 4499154 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Denial of Service 4499181 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Denial of Service 4499179 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Denial of Service
4499151
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Denial of Service 4499151 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Denial of Service
4499149
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Denial of Service 4499149
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Denial of Service
4499164
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Denial of Service
4499171
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Denial of Service 4499151
Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Denial of Service 4494440 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Denial of Service 4494441 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Denial of Service 4499167 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Denial of Service 4497936 Base: 6.50
Temporal: 5.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1025 None

CVE-2019-1026 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1026
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.

The update addresses the vulnerability by correcting how the Windows Audio Service handles processes these requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1026
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1026 zhong_sf of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1027 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1027
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.

The update addresses the vulnerability by correcting how the Windows Audio Service handles processes these requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1027
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1027 zhong_sf of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1028 - Windows Audio Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1028
MITRE
NVD
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.

The update addresses the vulnerability by correcting how the Windows Audio Service handles processes these requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1028
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1028 zhong_sf of Qihoo 360 Vulcan Team
http://www.360.com/


CVE-2019-1031 - Microsoft Office SharePoint XSS Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1031
MITRE
NVD
CVE Title: Microsoft Office SharePoint XSS Vulnerability
Description:

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1031
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 4464594 (Security Update) Important Spoofing 4464549 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Foundation 2010 Service Pack 2 4464571 (Security Update) Important Spoofing 4464525 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Foundation 2013 Service Pack 1 4464597 (Security Update) Important Spoofing 4464511 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2019 4475512 (Security Update) Important Spoofing 4464556 Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1031 Ashar Javed of Hyundai AutoEver Europe GmbH
https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/


CVE-2019-1032 - Microsoft Office SharePoint XSS Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1032
MITRE
NVD
CVE Title: Microsoft Office SharePoint XSS Vulnerability
Description:

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1032
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft SharePoint Enterprise Server 2016 4464594 (Security Update) Important Spoofing 4464549 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2019 4475512 (Security Update) Important Spoofing 4464556 Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1032 Ashar Javed of Hyundai AutoEver Europe GmbH
https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/


CVE-2019-1033 - Microsoft Office SharePoint XSS Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1033
MITRE
NVD
CVE Title: Microsoft Office SharePoint XSS Vulnerability
Description:

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.

The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1033
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Project Server 2010 Service Pack 2 4092442 (Security Update) Important Spoofing 4022210 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Enterprise Server 2016 4464594 (Security Update) Important Spoofing 4464549 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Foundation 2013 Service Pack 1 4464602 (Security Update) Important Spoofing 4464564 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2019 4475512 (Security Update) Important Spoofing 4464556 Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1033 Ashar Javed of Hyundai AutoEver Europe GmbH
https://twitter.com/soaj1664ashar,https://www.hyundai-autoever.eu/


CVE-2019-1034 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1034
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1034
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 2010 Service Pack 2 (32-bit editions) 4462178 (Security Update) Important Remote Code Execution 4461617 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2010 Service Pack 2 (64-bit editions) 4462178 (Security Update) Important Remote Code Execution 4461617 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office Online Server 4475511 (Security Update) Important Remote Code Execution 4462169 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office Web Apps 2010 Service Pack 2 4461621 (Security Update) Important Remote Code Execution 4461527 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Enterprise Server 2013 Service Pack 1 4464602 (Security Update) Important Remote Code Execution 4464564 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Enterprise Server 2016 4464594 (Security Update) Important Remote Code Execution 4464549 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2010 Service Pack 2 4461611 (Security Update) Important Remote Code Execution 4461520 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2019 4475512 (Security Update) Important Remote Code Execution 4464556 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2010 Service Pack 2 (32-bit editions) 4461619 (Security Update) Important Remote Code Execution 4461526 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2010 Service Pack 2 (64-bit editions) 4461619 (Security Update) Important Remote Code Execution 4461526 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2013 RT Service Pack 1 4464590 (Security Update) Important Remote Code Execution 4461594 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2013 Service Pack 1 (32-bit editions) 4464590 (Security Update) Important Remote Code Execution 4461594 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2013 Service Pack 1 (64-bit editions) 4464590 (Security Update) Important Remote Code Execution 4461594 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2016 (32-bit edition) 4464596 (Security Update) Important Remote Code Execution 4464536 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2016 (64-bit edition) 4464596 (Security Update) Important Remote Code Execution 4464536 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1034 Anonymous working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


CVE-2019-1035 - Microsoft Word Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1035
MITRE
NVD
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.

To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1035
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 2016 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office Online Server 4475511 (Security Update) Important Remote Code Execution 4462169 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft SharePoint Server 2019 4475512 (Security Update) Important Remote Code Execution 4464556 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1035 L4Nce working with Trend Micro's Zero Day Initiative
https://www.zerodayinitiative.com/


ADV190015 - June 2019 Adobe Flash Security Update

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
ADV190015
MITRE
NVD
CVE Title: June 2019 Adobe Flash Security Update
Description:

This security update addresses the following vulnerability, which is described in Adobe Security Bulletin APSB19-30: CVE-2019-7845.

Please note that in the event of any discrepancies. the definitive source of information (for example, vulnerability severity and impact) is the Adobe Flash bulletin as referenced.


FAQ:

How could an attacker exploit these vulnerabilities? In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. For more information about Internet Explorer and the CV List, please see the MSDN Article, Developer Guidance for websites with content for Adobe Flash Player in Windows 8.



Mitigations:

Workarounds:

Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.

Prevent Adobe Flash Player from running You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To set the kill bit for the control in the registry, perform the following steps:

  1. Paste the following into a text file and save it with the .reg file extension.

     Windows Registry Editor Version 5.00
     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
     "Compatibility Flags"=dword:00000400
    
     [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
     "Compatibility Flags"=dword:00000400
    
  2. Double-click the .reg file to apply it to an individual system.

    You can also apply this workaround across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection.

Note You must restart Internet Explorer for your changes to take effect. Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer. How to undo the workaround. Delete the registry keys that were added in implementing this workaround. Prevent Adobe Flash Player from running in Internet Explorer through Group Policy Note The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit, or for an entire domain. For more information about Group Policy, visit the following Microsoft Web sites:

Group Policy Overview What is Group Policy Object Editor? Core Group Policy tools and settings

To disable Adobe Flash Player in Internet Explorer through Group Policy, perform the following steps: Note This workaround does not prevent Flash from being invoked from other applications, such as Microsoft Office 2007 or Microsoft Office 2010.

  1. Open the Group Policy Management Console and configure the console to work with the appropriate Group Policy object, such as local machine, OU, or domain GPO.
  2. Navigate to the following node: Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management
  3. Double-click Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects.
  4. Change the setting to Enabled.
  5. Click Apply and then click OK to return to the Group Policy Management Console.
  6. Refresh Group Policy on all systems or wait for the next scheduled Group Policy refresh interval for the settings to take effect. Prevent Adobe Flash Player from running in Office 2010 on affected systems Note This workaround does not prevent Adobe Flash Player from running in Internet Explorer. Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow the steps in the article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

To disable Adobe Flash Player in Office 2010 only, set the kill bit for the ActiveX control for Adobe Flash Player in the registry using the following steps:

  1. Create a text file named Disable_Flash.reg with the following contents:
		[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM\Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
	"Compatibility Flags"=dword:00000400
  1. Double-click the .reg file to apply it to an individual system.
  2. Note You must restart Internet Explorer for your changes to take effect. You can also apply this workaround across domains by using Group Policy. For more information about Group Policy, see the TechNet article, Group Policy collection. Prevent ActiveX controls from running in Office 2007 and Office 2010

To disable all ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, including Adobe Flash Player in Internet Explorer, perform the following steps:

  1. Click File, click Options, click Trust Center, and then click Trust Center Settings.
  2. Click ActiveX Settings in the left-hand pane, and then select Disable all controls without notifications.
  3. Click OK to save your settings. Impact of workaround. Office documents that use embedded ActiveX controls may not display as intended. How to undo the workaround.

To re-enable ActiveX controls in Microsoft Office 2007 and Microsoft Office 2010, perform the following steps:

  1. Click File, click Options, click Trust Center, and then click Trust Center Settings.
  2. Click ActiveX Settings in the left-hand pane, and then deselect Disable all controls without notifications.
  3. Click OK to save your settings. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones You can help protect against exploitation of these vulnerabilities by changing your settings for the Internet security zone to block ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, perform the following steps:

  1. On the Internet Explorer Tools menu, click** Internet Option**s.
  2. In the Internet Options dialog box, click the Security tab, and then click Internet.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
  4. Click Local intranet.
  5. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
  6. Click OK to accept the changes and return to Internet Explorer. Note If no slider is visible, click Default Level, and then move the slider to High. Note Setting the level to High may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High. Impact of workaround. There are side effects to blocking ActiveX Controls and Active Scripting. Many websites on the Internet or an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Blocking ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. If you do not want to block ActiveX Controls or Active Scripting for such sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone". Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

You can help protect against exploitation of these vulnerabilities by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, perform the following steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  7. Click OK to return to Internet Explorer, and then click OK again. Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly. Impact of workaround. There are side effects to prompting before running Active Scripting. Many websites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone". Add sites that you trust to the Internet Explorer Trusted sites zone After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, perform the following steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer. Note Add any sites that you trust not to take malicious action on your system. Two sites in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and they require an ActiveX control to install the update.

Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

ADV190015
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Adobe Flash Player on Windows 10 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1607 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1607 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1703 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1703 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1709 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1709 for ARM64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1709 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1803 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1803 for ARM64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1803 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1809 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1809 for ARM64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1809 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1903 for 32-bit Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1903 for ARM64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 10 Version 1903 for x64-based Systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 8.1 for 32-bit systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows 8.1 for x64-based systems 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows RT 8.1 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows Server 2012 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows Server 2012 R2 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows Server 2016 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Adobe Flash Player on Windows Server 2019 4503308 (Security Update) Critical Remote Code Execution 4497932 Base: N/A
Temporal: N/A
Vector: N/A
Yes

Acknowledgements

CVE ID Acknowledgements
ADV190015 None

ADV190016 - Bluetooth Low Energy Advisory

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
ADV190016
MITRE
NVD
CVE Title: Bluetooth Low Energy Advisory
Description:

Executive Summary

Microsoft is aware of an issue that affects the Bluetooth Low Energy (BLE) version of FIDO Security Keys. Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key, or communicate with the device to which the key is paired.

Google has issued CVE-2019-2102 for this vulnerability.

To address this issue, Microsoft has blocked the pairing of these Bluetooth Low Energy (BLE) keys with the pairing misconfiguration.

Recommended Actions

  1. Microsoft recommends that customers install the June security update for Windows.
  2. Customers using the Bluetooth Low Energy (BLE) version of the Titan Security Key by Google should review Android’s June Bulletins and Google’s advisory and take appropriate action.
  3. Customers using the Feitian Multipass (Feitian CTAP1/U2F Security Key) should review Feitian's Product Issue Notification website and take appropriate action.

FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

ADV190016
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
ADV190016 Erik Peterson of Microsoft Corp.


Matt Beaver of Microsoft Corp.


ADV190017 - Microsoft HoloLens Remote Code Execution Vulnerabilities

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
ADV190017
MITRE
NVD
CVE Title: Microsoft HoloLens Remote Code Execution Vulnerabilities
Description:

Executive Summary

Microsoft is aware of vulnerabilities that affect the Broadcom wireless chipset included in the Microsoft HoloLens device. The vulnerabilities could allow an unauthenticated attacker in physical proximity to cause a denial of service condition or execute code on a target system. The vulnerabilities were issued CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.

To address this issue, Microsoft has included the updated Broadcom firmware in the latest HoloLens update.

Recommended Actions

Microsoft recommends that customers install the June security update for HoloLens. See the Security Updates table for the link to the update and more information.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

ADV190017
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for HoloLens 4503327 (Security Update) Important Remote Code Execution 4494441 Base: N/A
Temporal: N/A
Vector: N/A
Yes

Acknowledgements

CVE ID Acknowledgements
ADV190017 None

CVE-2019-1038 - Microsoft Browser Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1038
MITRE
NVD
CVE Title: Microsoft Browser Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment.

The security update addresses the vulnerability by modifying how Microsoft browsers handle objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1038
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499171
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499164
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Moderate Remote Code Execution 4498206 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503276 (Monthly Rollup) Moderate Remote Code Execution 4499151 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1038 None

CVE-2019-1039 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1039
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.

To exploit this vulnerability, an authenticated attacker could run a specially crafted application. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

The update addresses the vulnerability by correcting how the Windows kernel initializes objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory and kernel memory - unintentional read access to memory contents in kernel space from a user mode process.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1039
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Information Disclosure
4499151
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Information Disclosure 4499151 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Information Disclosure
4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Information Disclosure 4499149
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Information Disclosure
4499164
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Information Disclosure
4499171
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Information Disclosure 4499151
Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Information Disclosure 4494440 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Information Disclosure 4494440 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Information Disclosure 4494441 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Information Disclosure 4494441 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Information Disclosure 4499167 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Information Disclosure 4497936 Base: 5.50
Temporal: 5.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1039 JunGu and ZiMi of Alibaba Orion Security Lab


CVE-2019-1040 - Windows NTLM Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1040
MITRE
NVD
CVE Title: Windows NTLM Tampering Vulnerability
Description:

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features.

To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature.

The update addresses the vulnerability by hardening NTLM MIC protection on the server-side.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1040
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Tampering 4499154 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Tampering 4499154 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Tampering 4494440 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Tampering 4494440 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Tampering 4499181 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Tampering 4499181 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Tampering 4499179 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Tampering 4499179 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Tampering 4499179 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Tampering 4499167 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Tampering 4499167 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Tampering 4499167 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Tampering 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Tampering 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Tampering 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Tampering 4497936 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Tampering 4497936 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Tampering 4497936 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Tampering
4499164
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Tampering
4499164
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Tampering
4499151
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Tampering 4499151
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Tampering 4499151 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Tampering 4499149
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Tampering 4499149
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Tampering
4499149
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Tampering 4499149
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Tampering 4499149
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Tampering
4499164
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Tampering
4499164
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Tampering
4499164
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Tampering
4499171
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Tampering
4499171
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Tampering 4499151
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Tampering 4499151
Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Tampering 4494440 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Tampering 4494440 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Tampering 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Tampering 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Tampering 4499167 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Tampering 4497936 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1040 n1nty from A-TEAM of Legendsec at Qi'anxin Group


Yang Zhang of Back2Zero team Yongtao Wang (@Sanr) of BCM Social Corp.
https://twitter.com/SanR


Eyal Karni, Marina Simakov and Yaron Zinar from Preempt
https://www.preempt.com/


CVE-2019-1041 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1041
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1041
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.00
Temporal: 6.30
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1041 Fluoroacetate working with Trend Micro's Zero Day Initiative
https://twitter.com/fluoroacetate,https://www.zerodayinitiative.com/


CVE-2019-1043 - Comctl32 Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1043
MITRE
NVD
CVE Title: Comctl32 Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists in the way that comctl32.dll handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.

The security update addresses the vulnerability by modifying how comctl32.dll handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1043
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Remote Code Execution 4499154 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Remote Code Execution 4499181 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Remote Code Execution 4499179 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Remote Code Execution
4499151
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Remote Code Execution 4499151 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Remote Code Execution
4499149
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Remote Code Execution 4499149
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Remote Code Execution
4499164
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Remote Code Execution
4499171
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Remote Code Execution 4499151
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Remote Code Execution 4499167 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Remote Code Execution 4497936 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1043 @j00sean based on the previous work of @magicmac2000
https://twitter.com/j00sean,https://twitter.com/magicmac2000


CVE-2019-1044 - Windows Secure Kernel Mode Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1044
MITRE
NVD
CVE Title: Windows Secure Kernel Mode Security Feature Bypass Vulnerability
Description:

A security feature bypass vulnerability exists when Windows Secure Kernel Mode fails to properly handle objects in memory.

To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).

The update addresses the vulnerability by correcting how Windows Secure Kernel Mode handles objects in memory to properly enforce VTLs.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1044
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Security Feature Bypass 4494441 Base: 5.30
Temporal: 4.80
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1044 None

CVE-2019-1045 - Windows Network File System Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1045
MITRE
NVD
CVE Title: Windows Network File System Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in the way that the Windows Network File System (NFS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

The security update addresses the vulnerability by ensuring the Windows NFS properly handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1045
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1045 None

CVE-2019-1051 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1051
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1051
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1051 Bruno Keith
https://twitter.com/bkth_


CVE-2019-1052 - Chakra Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1052
MITRE
NVD
CVE Title: Chakra Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1052
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
ChakraCore on ChakraCore Release Notes (Security Update) Critical Remote Code Execution None Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Maybe
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1052 Qixun Zhao of Qihoo 360 Vulcan Team​
https://twitter.com/S0rryMybad,http://www.360.com/


CVE-2019-1053 - Windows Shell Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1053
MITRE
NVD
CVE Title: Windows Shell Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows Shell fails to validate folder shortcuts. An attacker who successfully exploited the vulnerability could elevate privileges by escaping a sandbox.

To exploit this vulnerability, an attacker would require unprivileged execution on the victim system.

The security update addresses the vulnerability by correctly validating folder shortcuts.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable Yes No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1053
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
No
Windows 7 for 32-bit Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4503290 (Security Only)
4503276 (Monthly Rollup)
Important Elevation of Privilege
4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4503276 (Monthly Rollup) Important Elevation of Privilege 4499151 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4503287 (Security Only)
4503273 (Monthly Rollup)
Important Elevation of Privilege
4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4503273 (Monthly Rollup)
4503287 (Security Only)
Important Elevation of Privilege 4499149
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4503269 (Security Only)
4503292 (Monthly Rollup)
Important Elevation of Privilege
4499164
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2012 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4503263 (Security Only)
4503285 (Monthly Rollup)
Important Elevation of Privilege
4499171
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4503276 (Monthly Rollup)
4503290 (Security Only)
Important Elevation of Privilege 4499151
Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 6.30
Temporal: 5.70
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1053 None

CVE-2019-1064 - Windows Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1064
MITRE
NVD
CVE Title: Windows Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable Yes No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1064
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1064 None

CVE-2019-1065 - Windows Kernel Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1065
MITRE
NVD
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1065
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1065 Fluoroacetate working with Trend Micro's Zero Day Initiative
https://twitter.com/fluoroacetate,https://www.zerodayinitiative.com/


CVE-2019-1069 - Task Scheduler Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1069
MITRE
NVD
CVE Title: Task Scheduler Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system.

To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system.

The security update addresses the vulnerability by correctly validating file operations.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable Yes No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1069
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4503291 (Security Update) Important Elevation of Privilege 4499154 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Elevation of Privilege 4499181 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Elevation of Privilege 4499179 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Windows Server 2016 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4503267 (Security Update) Important Elevation of Privilege 4494440 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4503327 (Security Update) Important Elevation of Privilege 4494441 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4503286 (Security Update) Important Elevation of Privilege 4499167 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4503293 (Security Update) Important Elevation of Privilege 4497936 Base: 7.80
Temporal: 7.00
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1069 None

CVE-2019-1080 - Scripting Engine Memory Corruption Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1080
MITRE
NVD
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description:

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Moderate Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1080
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499171
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Critical Remote Code Execution 4499154 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Critical Remote Code Execution 4494440 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Critical Remote Code Execution 4499181 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Critical Remote Code Execution 4499179 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Critical Remote Code Execution 4499167 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Critical Remote Code Execution 4494441 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Critical Remote Code Execution 4497936 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499164
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Critical Remote Code Execution 4499151
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503290 (Security Only)
4503259 (IE Cumulative)
Critical Remote Code Execution
4498206
Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Critical Remote Code Execution 4499151 Base: 7.50
Temporal: 6.70
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499164
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Moderate Remote Code Execution 4498206 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503290 (Security Only)
4503259 (IE Cumulative)
Moderate Remote Code Execution
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Moderate Remote Code Execution 4494440 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Moderate Remote Code Execution 4494441 Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499149
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Moderate Remote Code Execution 4499149
4498206
Base: 6.40
Temporal: 5.80
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1080 None

CVE-2019-1081 - Microsoft Browser Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1081
MITRE
NVD
CVE Title: Microsoft Browser Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site.

The security update addresses the vulnerability by modifying how Microsoft browsers handle objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.



Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-06-11T07:00:00    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely N/A Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1081
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4503285 (Monthly Rollup)
4503259 (IE Cumulative)
Low Information Disclosure 4499171
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
No
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Important Information Disclosure 4499164
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Important Information Disclosure 4499164
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Important Information Disclosure 4499151
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Important Information Disclosure 4499151
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows RT 8.1 4503276 (Monthly Rollup) Important Information Disclosure 4499151 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 4503292 (Monthly Rollup)
4503259 (IE Cumulative)
Low Information Disclosure 4499164
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows Server 2012 4503259 (IE Cumulative) Low Information Disclosure 4498206 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows Server 2012 R2 4503276 (Monthly Rollup)
4503259 (IE Cumulative)
Low Information Disclosure 4499151
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows Server 2016 4503267 (Security Update) Low Information Disclosure 4494440 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 11 on Windows Server 2019 4503327 (Security Update) Low Information Disclosure 4494441 Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Low Information Disclosure 4499149
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 4503273 (Monthly Rollup)
4503259 (IE Cumulative)
Low Information Disclosure 4499149
4498206
Base: 4.30
Temporal: 3.90
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O
Yes
Microsoft Edge on Windows 10 for 32-bit Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: N/A
Temporal: N/A
Vector: N/A
Yes
Microsoft Edge on Windows 10 for x64-based Systems 4503291 (Security Update) Important Information Disclosure 4499154 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for 32-bit Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1607 for x64-based Systems 4503267 (Security Update) Important Information Disclosure 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for 32-bit Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1703 for x64-based Systems 4503279 (Security Update) Important Information Disclosure 4499181 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for 32-bit Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for ARM64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1709 for x64-based Systems 4503284 (Security Update) Important Information Disclosure 4499179 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for 32-bit Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for ARM64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1803 for x64-based Systems 4503286 (Security Update) Important Information Disclosure 4499167 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for 32-bit Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for ARM64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1809 for x64-based Systems 4503327 (Security Update) Important Information Disclosure 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for 32-bit Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for ARM64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows 10 Version 1903 for x64-based Systems 4503293 (Security Update) Important Information Disclosure 4497936 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
No
Microsoft Edge on Windows Server 2016 4503267 (Security Update) Low Information Disclosure 4494440 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes
Microsoft Edge on Windows Server 2019 4503327 (Security Update) Low Information Disclosure 4494441 Base: 4.20
Temporal: 3.80
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1081 None