Microsoft CVE Summary

This report contains detail for the following vulnerabilities:

Tag CVE ID CVE Title
ADV190026 Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business
End of Life Software CVE-2019-1489 Remote Desktop Protocol Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1465 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1468 Win32k Graphics Remote Code Execution Vulnerability
Microsoft Graphics Component CVE-2019-1466 Windows GDI Information Disclosure Vulnerability
Microsoft Graphics Component CVE-2019-1467 Windows GDI Information Disclosure Vulnerability
Microsoft Office CVE-2019-1400 Microsoft Access Information Disclosure Vulnerability
Microsoft Office CVE-2019-1464 Microsoft Excel Information Disclosure Vulnerability
Microsoft Office CVE-2019-1461 Microsoft Word Denial of Service Vulnerability
Microsoft Office CVE-2019-1462 Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office CVE-2019-1463 Microsoft Access Information Disclosure Vulnerability
Microsoft Scripting Engine CVE-2019-1485 VBScript Remote Code Execution Vulnerability
Microsoft Windows CVE-2019-1453 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
Microsoft Windows CVE-2019-1476 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1477 Windows Printer Service Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1474 Windows Kernel Information Disclosure Vulnerability
Microsoft Windows CVE-2019-1478 Windows COM Server Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1483 Windows Elevation of Privilege Vulnerability
Microsoft Windows CVE-2019-1488 Microsoft Defender Security Feature Bypass Vulnerability
Open Source Software CVE-2019-1487 Microsoft Authentication Library for Android Information Disclosure Vulnerability
Servicing Stack Updates ADV990001 Latest Servicing Stack Updates
Skype for Business CVE-2019-1490 Skype for Business Server Spoofing Vulnerability
SQL Server CVE-2019-1332 Microsoft SQL Server Reporting Services XSS Vulnerability
Visual Studio CVE-2019-1350 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1349 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1486 Visual Studio Live Share Spoofing Vulnerability
Visual Studio CVE-2019-1387 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1354 Git for Visual Studio Remote Code Execution Vulnerability
Visual Studio CVE-2019-1351 Git for Visual Studio Tampering Vulnerability
Visual Studio CVE-2019-1352 Git for Visual Studio Remote Code Execution Vulnerability
Windows Hyper-V CVE-2019-1471 Windows Hyper-V Remote Code Execution Vulnerability
Windows Hyper-V CVE-2019-1470 Windows Hyper-V Information Disclosure Vulnerability
Windows Kernel CVE-2019-1472 Windows Kernel Information Disclosure Vulnerability
Windows Kernel CVE-2019-1458 Win32k Elevation of Privilege Vulnerability
Windows Kernel CVE-2019-1469 Win32k Information Disclosure Vulnerability
Windows Media Player CVE-2019-1480 Windows Media Player Information Disclosure Vulnerability
Windows Media Player CVE-2019-1481 Windows Media Player Information Disclosure Vulnerability
Windows OLE CVE-2019-1484 Windows OLE Remote Code Execution Vulnerability

CVE-2019-1453 - Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1453
MITRE
NVD
CVE Title: Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
Description:

A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding.

To exploit this vulnerability, an attacker would need to run a specially crafted application against a server which provides Remote Desktop Protocol (RDP) services.

The update addresses the vulnerability by correcting how RDP handles connection requests.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1453
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Denial of Service 4525232
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Denial of Service 4525232
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Denial of Service 4525236
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Denial of Service 4525236
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Denial of Service 4525241
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Denial of Service 4525241
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Denial of Service 4525241
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Denial of Service 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Denial of Service 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Denial of Service 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Denial of Service 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Denial of Service 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Denial of Service 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Denial of Service 4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Denial of Service 4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Denial of Service 4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Denial of Service 4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Denial of Service 4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Denial of Service 4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Denial of Service 4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Denial of Service 4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Denial of Service 4525246
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Denial of Service 4525246
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Denial of Service 4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Denial of Service 4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Denial of Service 4525236
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Denial of Service 4525236
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Denial of Service 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Denial of Service 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Denial of Service 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Denial of Service 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1453 A member of Cisco Talos


CVE-2019-1470 - Windows Hyper-V Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1470
MITRE
NVD
CVE Title: Windows Hyper-V Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker on a guest operating system could run a specially crafted application that could cause the Hyper-V host operating system to disclose memory information.

An attacker who successfully exploited the vulnerability could gain access to information on the Hyper-V host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1470
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 6.0
Temporal: 5.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1470 ChenNan of Tencent ZhanluLab


CVE-2019-1471 - Windows Hyper-V Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1471
MITRE
NVD
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.

The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1471
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Critical Remote Code Execution 4525237
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Critical Remote Code Execution 4525237
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.2
Temporal: 7.4
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1471 Microsoft Platform Security Assurance & Vulnerability Research


CVE-2019-1472 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1472
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1472
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1472 zhong_sf of Qihoo 360 Vulcan Team


CVE-2019-1474 - Windows Kernel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1474
MITRE
NVD
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Kernel memory read - unintentional read access to memory contents in kernel space from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1474
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1474 Fangming Gu of Qihoo 360 Core security


CVE-2019-1480 - Windows Media Player Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1480
MITRE
NVD
CVE Title: Windows Media Player Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed.

To exploit this vulnerability, an attacker would have to log on to an affected system and open a specifically crafted file.

The update addresses the vulnerability by correcting how Windows Media Player handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1480
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1480 hosselot working with Trend Micro's Zero Day Initiative


CVE-2019-1481 - Windows Media Player Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1481
MITRE
NVD
CVE Title: Windows Media Player Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed.

To exploit this vulnerability, an attacker would have to log on to an affected system and open a specifically crafted file.

The update addresses the vulnerability by correcting how Windows Media Player handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1481
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1481 hosselot working with Trend Micro's Zero Day Initiative


hosselot working with Trend Micro's Zero Day Initiative


CVE-2019-1483 - Windows Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1483
MITRE
NVD
CVE Title: Windows Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.

To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.

The security update addresses the vulnerability by correcting how AppX Deployment Server handles junctions.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1483
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Elevation of Privilege 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Elevation of Privilege 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Elevation of Privilege 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1483 Jeong Oh Kyea(@kkokkokye) of THEORI working with Trend Micro's Zero Day Initiative


CVE-2019-1484 - Windows OLE Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1484
MITRE
NVD
CVE Title: Windows OLE Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code.

To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file or a program, causing Windows to execute arbitrary code.

The update addresses the vulnerability by correcting how Windows OLE validates user input.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1484
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Remote Code Execution 4525232
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Remote Code Execution 4525232
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Remote Code Execution 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Remote Code Execution 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Remote Code Execution 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Remote Code Execution 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Remote Code Execution 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Remote Code Execution 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Remote Code Execution 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Remote Code Execution 4525243
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Remote Code Execution 4525243
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Remote Code Execution 4525243
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Remote Code Execution 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Remote Code Execution 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Remote Code Execution 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Remote Code Execution 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Remote Code Execution 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Remote Code Execution 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Remote Code Execution 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Remote Code Execution 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Remote Code Execution 4525246
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Remote Code Execution 4525246
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Remote Code Execution 4525243
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Remote Code Execution 4525243
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Remote Code Execution 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Remote Code Execution 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1484 Yuki Chen of Qihoo 360 Vulcan Team


CVE-2019-1487 - Microsoft Authentication Library for Android Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1487
MITRE
NVD
CVE Title: Microsoft Authentication Library for Android Information Disclosure Vulnerability
Description:

An information disclosure vulnerability in Android Apps using Microsoft Authentication Library (MSAL) 0.3.1-Alpha or later exists under specific conditions. This vulnerability could result in sensitive data being exposed.

To exploit this vulnerability an attacker would need to be authenticated to have rights to view the sensitive data.

This security update addresses the vulnerability by modifying how the data is sanitized.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1487
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Authentication Library (MSAL) for Android Github Repository (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1487 None

CVE-2019-1488 - Microsoft Defender Security Feature Bypass Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1488
MITRE
NVD
CVE Title: Microsoft Defender Security Feature Bypass Vulnerability
Description:

A security feature bypass vulnerability exists when Microsoft Defender improperly handles specific buffers. An attacker could exploit the vulnerability to trigger warnings and false positives when no threat is present.

To exploit the vulnerability, an attacker would first require execution permissions on the victim system.

The security update addresses the vulnerability by ensuring Microsoft Defender properly handles these buffers.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Security Feature Bypass

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1488
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Security Feature Bypass 4525232
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Security Feature Bypass 4525232
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Security Feature Bypass 4525236
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Security Feature Bypass 4525236
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Security Feature Bypass 4525241
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Security Feature Bypass 4525241
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Security Feature Bypass 4525241
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Security Feature Bypass 4525237
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Security Feature Bypass 4525237
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Security Feature Bypass 4525237
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Security Feature Bypass 4523205
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Security Feature Bypass 4523205
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Security Feature Bypass 4523205
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Security Feature Bypass 4525235
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Security Feature Bypass 4525235
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Security Feature Bypass 4525243
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Security Feature Bypass 4525243
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Security Feature Bypass 4525243
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Security Feature Bypass 4525234
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Security Feature Bypass 4525234
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Security Feature Bypass 4525234
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Security Feature Bypass 4525234
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Security Feature Bypass 4525234
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Security Feature Bypass 4525235
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Security Feature Bypass 4525235
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Security Feature Bypass 4525235
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Security Feature Bypass 4525246
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Security Feature Bypass 4525246
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Security Feature Bypass 4525243
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Security Feature Bypass 4525243
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Security Feature Bypass 4525236
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Security Feature Bypass 4525236
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Security Feature Bypass 4523205
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Security Feature Bypass 4523205
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Security Feature Bypass 4525237
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Security Feature Bypass 4524570
Base: 3.3
Temporal: 3.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1488 None

CVE-2019-1489 - Remote Desktop Protocol Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1489
MITRE
NVD
CVE Title: Remote Desktop Protocol Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows Remote Desktop Protocol (RDP) fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.


FAQ:

Why is there no update for this vulnerability?

Microsoft will not provide an update for this vulnerability because Windows XP is out of support. Microsoft strongly recommends upgrading to a supported version of Windows software.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1489
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Windows XP Service Pack 3 Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
Unknown

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1489 Discovered by a member of Cisco Talos


ADV990001 - Latest Servicing Stack Updates

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
ADV990001
MITRE
NVD
CVE Title: Latest Servicing Stack Updates
Description:

This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.


FAQ:

1. Why are all of the Servicing Stack Updates (SSU) critical updates?

The SSUs are classified as Critical updates. This does not indicate that there is a critical vulnerability being addressed in the update.

2. When was the most recent SSU released for each version of Microsoft Windows?

Please refer to the following table for the most recent SSU release. We will update the entries any time a new SSU is released:

Product SSU Package Date Released
Windows Server 2008 4531787 December 2019
Windows 7/Server 2008 R2 4531786 December 2019
Windows Server 2012 4532920 December 2019
Windows 8.1/Server 2012 R2 4524445 November 2019
Windows 10 4523200 November 2019
Windows 10 Version 1607/Server 2016 4520724 November 2019
Windows 10 Version 1703 4521859 October 2019
Windows 10 1709 4523202 November 2019
Windows 10 1803/Windows Server, version 1803 4523203 November 2019
Windows 10 1809/Server 2019 4523204 November 2019
Windows 10 1903/Windows Server, version 1903 4524569 November 2019

3. Where can I find more information about the Servicing Stack Updates?

You can find more information by following these links:


Mitigations:
None
Workarounds:
None
Revision:
1.2    2018-12-03T08:00:00Z    

FAQs have been added to further explain Security Stack Updates. The FAQs include a table that indicates the most recent SSU release for each Windows version. This is an informational change only.


5.1    2019-02-13T08:00:00Z    

In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1809 for x64-based Systems to 4470788. This is an informational change only.


6.0    2019-03-12T07:00:00Z    

A Servicing Stack Update has been released for Windows 7 and Windows Server 2008 R2 and Windows Server 2008 R2 (Server Core installation). See the FAQ section for more information.


8.0    2019-05-14T07:00:00Z    

A Servicing Stack Update has been released for Windows 10 version 1507, Windows 10 version 1607, Windows Server 2016, Windows 10 version 1703, Windows 10 version 1709, Windows Server, version 1709, Windows 10 version 1803, Windows Server, version 1803, Windows 10 version 1809, Windows Server 2019, Windows 10 version 1809 and Windows Server, version 1809. See the FAQ section for more information.


9.0    2019-06-11T07:00:00Z    

A Servicing Stack Update has been released for Windows 10 version 1607, Windows Server 2016, Windows 10 version 1809, and Windows Server 2019. See the FAQ section for more information.


10.0    2019-06-14T07:00:00Z    

A Servicing Stack Update has been released for Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). See the FAQ section for more information.


13.0    2019-07-26T07:00:00Z    

A Servicing Stack Update has been released for Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). See the FAQ section for more information.


14.0    2019-09-10T07:00:00Z    

A Servicing Stack Update has been released for all supported versions of Windows. See the FAQ section for more information.


15.0    2019-10-08T07:00:00Z    

A Servicing Stack Update has been released for all supported versions of Windows 10 (including Windows Server 2016 and 2019), Windows 8.1, Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information.


15.1    2019-10-09T07:00:00Z    

In the Security Updates table, corrected the KB Article Number and Download links for Server 2012, the 32-bit and x64-based versions of Windows 8.1, and Server 2012 R2. See the FAQ section for more information.


16.0    2019-11-12T08:00:00Z    

A Servicing Stack Update has been released for all supported versions of Windows. See the FAQ section for more information.


1.0    2018-11-13T08:00:00Z    

Information published.


1.1    2018-11-14T08:00:00Z    

Corrected the link to the Windows Server 2008 Servicing Stack Update. This is an informational change only.


2.0    2018-12-05T08:00:00Z    

A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information.


3.0    2018-12-11T08:00:00Z    

A Servicing Stack Update has been released for Windows 10 Version 1709, Windows Server, version 1709 (Server Core Installation), Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information.


3.1    2018-12-11T08:00:00Z    

Updated supersedence information. This is an informational change only.


3.2    2018-12-12T08:00:00Z    

Fixed a typo in the FAQ.


4.0    2019-01-08T08:00:00Z    

A Servicing Stack Update has been released for Windows 10 Version 1703. See the FAQ section for more information.


5.0    2019-02-12T08:00:00Z    

A Servicing Stack Update has been released for Windows 10 Version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation); Windows 10 Version 1703; Windows 10 Version 1709 and Windows Server, version 1709 (Server Core Installation); Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information.


5.2    2019-02-14T08:00:00Z    

In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1803 for x64-based Systems to 4485449. This is an informational change only.


7.0    2019-04-09T07:00:00Z    

A Servicing Stack Update has been released for Windows Server 2008 and Windows Server 2008 (Server Core installation); Windows 10 version 1809, Windows Server 2019, and Windows Server 2019 (Server Core installation). See the FAQ section for more information.


11.0    2019-07-09T07:00:00Z    

A Servicing Stack Update has been released for all supported versions of Windows 10 (including Windows Server 2016 and 2019), Windows 8.1, Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information.


12.0    2019-07-24T07:00:00Z    

A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information.


16.1    2019-11-13T08:00:00Z    

Fixed some incorrect KB numbers. This is an information change only.


17.0    2019-12-10T08:00:00Z    

A Servicing Stack Update has been released for Windows Server 2008 and Windows Server 2008 (Server Core installation); Windows 7, Windows Server 2008 R2, and Windows Server 2008 R2 (Server Core installation). See the FAQ section for more information.


Critical Defense in Depth

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Not Found Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

ADV990001
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4523200 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 for x64-based Systems 4523200 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1607 for 32-bit Systems 4520724 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1607 for x64-based Systems 4520724 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1709 for 32-bit Systems 4523202 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1709 for ARM64-based Systems 4523202 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1709 for x64-based Systems 4523202 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1803 for 32-bit Systems 4523203 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1803 for ARM64-based Systems 4523203 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1803 for x64-based Systems 4523203 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1809 for 32-bit Systems 4523204 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1809 for ARM64-based Systems 4523204 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1809 for x64-based Systems 4523204 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1903 for 32-bit Systems 4524569 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1903 for ARM64-based Systems 4524569 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 10 Version 1903 for x64-based Systems 4524569 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 7 for 32-bit Systems Service Pack 1 4523206 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 7 for x64-based Systems Service Pack 1 4523206 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 8.1 for 32-bit systems 4524445 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows 8.1 for x64-based systems 4524445 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 for 32-bit Systems Service Pack 2 4526478 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4526478 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4526478 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 for x64-based Systems Service Pack 2 4526478 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4526478 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4523206 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4523206 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4523206 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2012 4523208 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2012 (Server Core installation) 4523208 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2012 R2 4524445 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2012 R2 (Server Core installation) 4524445 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2016 4520724 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2016 (Server Core installation) 4520724 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2019 4523204 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server 2019 (Server Core installation) 4523204 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server, version 1803 (Server Core Installation) 4523203 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No
Windows Server, version 1903 (Server Core installation) 4524569 (Servicing Stack Update) Critical Defense in Depth None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
ADV990001 None

CVE-2019-1332 - Microsoft SQL Server Reporting Services XSS Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1332
MITRE
NVD
CVE Title: Microsoft SQL Server Reporting Services XSS Vulnerability
Description:

A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server. An attacker who successfully exploited the vulnerability could run scripts in the context of the targeted user. The attacks could allow the attacker to read content that the attacker is not authorized to read, execute malicious code, and use the victim's identity to take actions on the site on behalf of the user, such as change permissions and delete content.

To exploit the vulnerability, an attacker would need to convince an authenticated user to click a specially-crafted link to an affected SSRS server.

The update addresses the vulnerability by correcting SSRS URL sanitization.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Spoofing

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1332
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Power BI Report Server Release Notes (Security Update) Important Spoofing None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
SQL Server 2017 Reporting Services Release Notes (Security Update) Important Spoofing None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
SQL Server 2019 Reporting Services Release Notes (Security Update) Important Spoofing None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1332 Matei "Mal" Badanoiu


CVE-2019-1349 - Git for Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1349
MITRE
NVD
CVE Title: Git for Visual Studio Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.

The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.


FAQ:

I want to install the latest supported service baseline for Visual Studio. Do I need to install the previous versions first?

No. For both Visual Studio 2019 and Visual Studio 2017, the latest supported servicing baseline is cumulative. For example, if you need to install Visual Studio 2019 version 16.4 you do NOT first have to install any previous versions. See Visual Studio 2019 version 16.4 Release Notes for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1349
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1349 Christopher Ertl (@CTurtE) and Nicolas Joly (@n_joly) of Microsoft Corporation


CVE-2019-1350 - Git for Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1350
MITRE
NVD
CVE Title: Git for Visual Studio Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.

The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.


FAQ:

I want to install the latest supported service baseline for Visual Studio. Do I need to install the previous versions first?

No. For both Visual Studio 2019 and Visual Studio 2017, the latest supported servicing baseline is cumulative. For example, if you need to install Visual Studio 2019 version 16.4 you do NOT first have to install any previous versions. See Visual Studio 2019 version 16.4 Release Notes for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1350
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1350 Christopher Ertl (@CTurtE) and Nicolas Joly (@n_joly) of Microsoft Corporation


CVE-2019-1351 - Git for Visual Studio Tampering Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1351
MITRE
NVD
CVE Title: Git for Visual Studio Tampering Vulnerability
Description:

A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.

To exploit the vulnerability, an attacker must clone a file using a specially crafted path on a vulnerable system.

The security update fixes the vulnerability by ensuring Git for Visual Studio properly handles folder paths.


FAQ:

I want to install the latest supported service baseline for Visual Studio. Do I need to install the previous versions first?

No. For both Visual Studio 2019 and Visual Studio 2017, the latest supported servicing baseline is cumulative. For example, if you need to install Visual Studio 2019 version 16.4 you do NOT first have to install any previous versions. See Visual Studio 2019 version 16.4 Release Notes for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Moderate Tampering

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1351
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Moderate Tampering None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Release Notes (Security Update) Moderate Tampering None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 16.0 Release Notes (Security Update) Moderate Tampering None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Moderate Tampering None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1351 Christopher Ertl (@CTurtE) and Nicolas Joly (@n_joly) of Microsoft Corporation


CVE-2019-1352 - Git for Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1352
MITRE
NVD
CVE Title: Git for Visual Studio Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.

The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.


FAQ:

I want to install the latest supported service baseline for Visual Studio. Do I need to install the previous versions first?

No. For both Visual Studio 2019 and Visual Studio 2017, the latest supported servicing baseline is cumulative. For example, if you need to install Visual Studio 2019 version 16.4 you do NOT first have to install any previous versions. See Visual Studio 2019 version 16.4 Release Notes for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1352
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1352 Christopher Ertl (@CTurtE) and Nicolas Joly (@n_joly) of Microsoft Corporation


CVE-2019-1354 - Git for Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1354
MITRE
NVD
CVE Title: Git for Visual Studio Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.

The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.


FAQ:

I want to install the latest supported service baseline for Visual Studio. Do I need to install the previous versions first?

No. For both Visual Studio 2019 and Visual Studio 2017, the latest supported servicing baseline is cumulative. For example, if you need to install Visual Studio 2019 version 16.4 you do NOT first have to install any previous versions. See Visual Studio 2019 version 16.4 Release Notes for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1354
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1354 Nicolas Joly of Microsoft Corporation


CVE-2019-1387 - Git for Visual Studio Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1387
MITRE
NVD
CVE Title: Git for Visual Studio Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.

The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.


FAQ:

I want to install the latest supported service baseline for Visual Studio. Do I need to install the previous versions first?

No. For both Visual Studio 2019 and Visual Studio 2017, the latest supported servicing baseline is cumulative. For example, if you need to install Visual Studio 2019 version 16.4 you do NOT first have to install any previous versions. See Visual Studio 2019 version 16.4 Release Notes for more information.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Not Found Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1387
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.0 Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Critical Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
Maybe

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1387 Christopher Ertl (@CTurtE) and Nicolas Joly (@n_joly) of Microsoft Corporation


CVE-2019-1400 - Microsoft Access Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1400
MITRE
NVD
CVE Title: Microsoft Access Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists in Microsoft Access software when the software fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The security update addresses the vulnerability by correcting how Microsoft Access handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1400
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 2010 Service Pack 2 (32-bit editions) 4484193 (Security Update) Important Information Disclosure 4484127 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2010 Service Pack 2 (64-bit editions) 4484193 (Security Update) Important Information Disclosure 4484127 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 RT Service Pack 1 4484186 (Security Update) Important Information Disclosure 4484119 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 Service Pack 1 (32-bit editions) 4484186 (Security Update) Important Information Disclosure 4484119 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 Service Pack 1 (64-bit editions) 4484186 (Security Update) Important Information Disclosure 4484119 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 (32-bit edition) 4484180 (Security Update) Important Information Disclosure 4484113 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 (64-bit edition) 4484180 (Security Update) Important Information Disclosure 4484113 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1400 kdot


CVE-2019-1458 - Win32k Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1458
MITRE
NVD
CVE Title: Win32k Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Detected Not Applicable No Yes

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1458
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Elevation of Privilege 4525232
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Elevation of Privilege 4525232
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Elevation of Privilege 4525243
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Elevation of Privilege 4525243
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Elevation of Privilege 4525243
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Elevation of Privilege 4525246
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Elevation of Privilege 4525246
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Elevation of Privilege 4525243
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Elevation of Privilege 4525243
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.2
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1458 Anton Ivanov and Alexey Kulaev of Kaspersky Lab


CVE-2019-1461 - Microsoft Word Denial of Service Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1461
MITRE
NVD
CVE Title: Microsoft Word Denial of Service Vulnerability
Description:

A denial of service vulnerability exists in Microsoft Word software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could cause a remote denial of service against a system.

Exploitation of the vulnerability requires that a specially crafted document be sent to a vulnerable user.

The security update addresses the vulnerability by correcting how Microsoft Word handles objects in memory.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


I have Microsoft Word 2010 installed. Why am I not being offered the 4475598 update?

The 4475598 update only applies to systems running specific configurations of Microsoft Office 2010. Some configurations will not be offered the update.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Denial of Service

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1461
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 2010 Service Pack 2 (32-bit editions) 4475598 (Security Update) Important Denial of Service 4475531 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2010 Service Pack 2 (64-bit editions) 4475598 (Security Update) Important Denial of Service 4475531 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Word 2010 Service Pack 2 (32-bit editions) 4475601 (Security Update) Important Denial of Service 4475533 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2010 Service Pack 2 (64-bit editions) 4475601 (Security Update) Important Denial of Service 4475533 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2013 RT Service Pack 1 4484094 (Security Update) Important Denial of Service 4475547
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2013 Service Pack 1 (32-bit editions) 4484094 (Security Update) Important Denial of Service 4475547
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2013 Service Pack 1 (64-bit editions) 4484094 (Security Update) Important Denial of Service 4475547
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2016 (32-bit edition) 4484169 (Security Update) Important Denial of Service 4475540
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Word 2016 (64-bit edition) 4484169 (Security Update) Important Denial of Service 4475540
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Denial of Service None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1461 Jaanus Kääp of Clarified Security


CVE-2019-1462 - Microsoft PowerPoint Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1462
MITRE
NVD
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists in Microsoft PowerPoint software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office PowerPoint software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

Note that the Preview Pane is not an attack vector for this vulnerability. The security update addresses the vulnerability by correcting how Microsoft PowerPoint handles objects in memory.


FAQ:

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1462
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 2016 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) 4461613 (Security Update) Important Remote Code Execution 4461521 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) 4461613 (Security Update) Important Remote Code Execution 4461521 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft PowerPoint 2013 RT Service Pack 1 4461590 (Security Update) Important Remote Code Execution 4461481
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions) 4461590 (Security Update) Important Remote Code Execution 4461481
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions) 4461590 (Security Update) Important Remote Code Execution 4461481
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft PowerPoint 2016 (32-bit edition) 4484166 (Security Update) Important Remote Code Execution 4461532
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft PowerPoint 2016 (64-bit edition) 4484166 (Security Update) Important Remote Code Execution 4461532
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Remote Code Execution None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1462 Jaanus Kp, Clarified Security working with Trend Micro's Zero Day Initiative


CVE-2019-1463 - Microsoft Access Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1463
MITRE
NVD
CVE Title: Microsoft Access Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists in Microsoft Access software when the software fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.

To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The security update addresses the vulnerability by correcting how Microsoft Access handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1463
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Office 2010 Service Pack 2 (32-bit editions) 4484193 (Security Update) Important Information Disclosure 4484127 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2010 Service Pack 2 (64-bit editions) 4484193 (Security Update) Important Information Disclosure 4484127 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 RT Service Pack 1 4484186 (Security Update) Important Information Disclosure 4484119 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 Service Pack 1 (32-bit editions) 4484186 (Security Update) Important Information Disclosure 4484119 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 Service Pack 1 (64-bit editions) 4484186 (Security Update) Important Information Disclosure 4484119 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 (32-bit edition) 4484180 (Security Update) Important Information Disclosure 4484113 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 (64-bit edition) 4484180 (Security Update) Important Information Disclosure 4484113 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1463 Ofir Shlomo and Tal Dery of Mimecast Research Labs


CVE-2019-1464 - Microsoft Excel Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1464
MITRE
NVD
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data.

To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.

The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1464
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Microsoft Excel 2010 Service Pack 2 (32-bit editions) 4484196 (Security Update) Important Information Disclosure 4484164 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Excel 2010 Service Pack 2 (64-bit editions) 4484196 (Security Update) Important Information Disclosure 4484164 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Excel 2013 RT Service Pack 1 4484190 (Security Update) Important Information Disclosure 4484158
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Excel 2013 Service Pack 1 (32-bit editions) 4484190 (Security Update) Important Information Disclosure 4484158
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Excel 2013 Service Pack 1 (64-bit editions) 4484190 (Security Update) Important Information Disclosure 4484158
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Excel 2016 (32-bit edition) 4484179 (Security Update) Important Information Disclosure 4484144
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Excel 2016 (64-bit edition) 4484179 (Security Update) Important Information Disclosure 4484144
Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2010 Service Pack 2 (32-bit editions) 4484192 (Security Update) Important Information Disclosure 4484160 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2010 Service Pack 2 (64-bit editions) 4484192 (Security Update) Important Information Disclosure 4484160 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 RT Service Pack 1 4484184 (Security Update) Important Information Disclosure 4484152 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 Service Pack 1 (32-bit editions) 4484184 (Security Update) Important Information Disclosure 4484152 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2013 Service Pack 1 (64-bit editions) 4484184 (Security Update) Important Information Disclosure 4484152 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 (32-bit edition) 4484182 (Security Update) Important Information Disclosure 4484148 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 (64-bit edition) 4484182 (Security Update) Important Information Disclosure 4484148 Base: N/A
Temporal: N/A
Vector: N/A
Maybe
Microsoft Office 2016 for Mac Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 32-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for 64-bit editions Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Microsoft Office 2019 for Mac Release Notes (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 32-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No
Office 365 ProPlus for 64-bit Systems Click to Run (Security Update) Important Information Disclosure None Base: N/A
Temporal: N/A
Vector: N/A
No

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1464 Zhangjie and willJ from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.


CVE-2019-1465 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1465
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1465
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1465 Hossein Lotfi working with Trend Micro's Zero Day Initiative


CVE-2019-1466 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1466
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1466
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1466 Hossein Lotfi working with Trend Micro's Zero Day Initiative


CVE-2019-1467 - Windows GDI Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1467
MITRE
NVD
CVE Title: Windows GDI Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1467
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1467 Lee Jin Young of Codemize Security Research Lab


CVE-2019-1468 - Win32k Graphics Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1468
MITRE
NVD
CVE Title: Win32k Graphics Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are multiple ways an attacker could exploit this vulnerability.

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

  • In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.

The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Critical Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1468
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Critical Remote Code Execution 4525232
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Critical Remote Code Execution 4525232
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Critical Remote Code Execution 4525236
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Critical Remote Code Execution 4525236
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Critical Remote Code Execution 4525241
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Critical Remote Code Execution 4525241
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Critical Remote Code Execution 4525241
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Critical Remote Code Execution 4525237
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Critical Remote Code Execution 4525237
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Critical Remote Code Execution 4525237
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Critical Remote Code Execution 4525235
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Critical Remote Code Execution 4525235
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Critical Remote Code Execution 4525243
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Critical Remote Code Execution 4525243
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Critical Remote Code Execution 4525243
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Critical Remote Code Execution 4525234
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Critical Remote Code Execution 4525234
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Critical Remote Code Execution 4525234
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Critical Remote Code Execution 4525234
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Critical Remote Code Execution 4525234
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Critical Remote Code Execution 4525235
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Critical Remote Code Execution 4525235
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Critical Remote Code Execution 4525235
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Critical Remote Code Execution 4525246
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Critical Remote Code Execution 4525246
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Critical Remote Code Execution 4525243
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Critical Remote Code Execution 4525243
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Critical Remote Code Execution 4525236
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Critical Remote Code Execution 4525236
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Critical Remote Code Execution 4523205
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Critical Remote Code Execution 4525237
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Critical Remote Code Execution 4524570
Base: 8.4
Temporal: 7.6
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1468 xina1i of Antiy Labs


riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative


CVE-2019-1469 - Win32k Information Disclosure Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1469
MITRE
NVD
CVE Title: Win32k Information Disclosure Vulnerability
Description:

An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.

The security update addresses the vulnerability by correcting how win32k handles objects in memory.


FAQ:

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory and kernel memory - unintentional read access to memory contents in kernel space from a user mode process.


Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Information Disclosure

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1469
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 for 32-bit Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 for x64-based Systems 4530681 (Security Update) Important Information Disclosure 4525232
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Information Disclosure 4525241
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for 32-bit systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows 8.1 for x64-based systems 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows RT 8.1 4530702 (Monthly Rollup) Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Information Disclosure 4525234
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Information Disclosure 4525235
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 (Server Core installation) 4530691 (Monthly Rollup)
4530698 (Security Only)
Important Information Disclosure 4525246
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2012 R2 (Server Core installation) 4530702 (Monthly Rollup)
4530730 (Security Only)
Important Information Disclosure 4525243
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Information Disclosure 4525236
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Information Disclosure 4523205
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Information Disclosure 4525237
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Information Disclosure 4524570
Base: 5.5
Temporal: 5.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1469 Gil Dabah


Guopengfei from Codesafe Team of Legendsec at Qi'anxin Group


CVE-2019-1476 - Windows Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1476
MITRE
NVD
CVE Title: Windows Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation Less Likely Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1476
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Elevation of Privilege 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Elevation of Privilege 4525241
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2016 (Server Core installation) 4530689 (Security Update) Important Elevation of Privilege 4525236
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1803 (Server Core Installation) 4530717 (Security Update) Important Elevation of Privilege 4525237
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1903 (Server Core installation) 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server, version 1909 (Server Core installation) 4530684 (Security Update) Important Elevation of Privilege 4524570
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1476 Gábor Selján (@GaborSeljan)


CVE-2019-1477 - Windows Printer Service Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1477
MITRE
NVD
CVE Title: Windows Printer Service Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when the Windows Printer Service improperly validates file paths while loading printer drivers. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how the Windows Printer Service validates file paths.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1477
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2019 (Server Core installation) 4530715 (Security Update) Important Elevation of Privilege 4523205
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1477 Yongil Lee of Diffense


CVE-2019-1478 - Windows COM Server Elevation of Privilege Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1478
MITRE
NVD
CVE Title: Windows COM Server Elevation of Privilege Vulnerability
Description:

An elevation of privilege vulnerability exists when Windows improperly handles COM object creation. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses the vulnerability by correcting how the Windows COM Server creates COM objects.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Important Elevation of Privilege

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
N/A Exploitation Less Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1478
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Windows 7 for 32-bit Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows 7 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4530695 (Monthly Rollup)
4530719 (Security Only)
Important Elevation of Privilege 4525234
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4530734 (Monthly Rollup)
4530692 (Security Only)
Important Elevation of Privilege 4525235
Base: 7.8
Temporal: 7.0
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes

Acknowledgements

CVE ID Acknowledgements
CVE-2019-1478 Yongil Lee of Diffense


CVE-2019-1485 - VBScript Remote Code Execution Vulnerability

(top)
CVE ID Vulnerability Description Maximum Severity Rating Vulnerability Impact
CVE-2019-1485
MITRE
NVD
CVE Title: VBScript Remote Code Execution Vulnerability
Description:

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.


FAQ:
None
Mitigations:
None
Workarounds:
None
Revision:
1.0    2019-12-10T08:00:00Z    

Information published.


Low Remote Code Execution

Exploitability Index

The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.

Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Publicly Disclosed Exploited
Exploitation More Likely Exploitation More Likely Not Applicable No No

Affected Software

The following tables list the affected software details for the vulnerability.

CVE-2019-1485
Product KB Article Severity Impact Supersedence CVSS Score Set Restart Required
Internet Explorer 10 on Windows Server 2012 4530691 (Monthly Rollup)
4530677 (IE Cumulative)
Low Remote Code Execution 4525246

4525106
Base: 6.4
Temporal: 5.8
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for 32-bit Systems 4530681 (Security Update) Important Remote Code Execution 4525232
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 for x64-based Systems 4530681 (Security Update) Important Remote Code Execution 4525232
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems 4530689 (Security Update) Important Remote Code Execution 4525236
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems 4530689 (Security Update) Important Remote Code Execution 4525236
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems 4530714 (Security Update) Important Remote Code Execution 4525241
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems 4530714 (Security Update) Important Remote Code Execution 4525241
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems 4530714 (Security Update) Important Remote Code Execution 4525241
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems 4530717 (Security Update) Important Remote Code Execution 4525237
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems 4530715 (Security Update) Important Remote Code Execution 4523205
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1909 for 32-bit Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1909 for ARM64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 10 Version 1909 for x64-based Systems 4530684 (Security Update) Important Remote Code Execution 4524570
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 4530677 (IE Cumulative)
4530734 (Monthly Rollup)
Important Remote Code Execution 4525106
4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 4530677 (IE Cumulative)
4530734 (Monthly Rollup)
Important Remote Code Execution 4525106
4525235
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for 32-bit systems 4530677 (IE Cumulative)
4530702 (Monthly Rollup)
Important Remote Code Execution 4525106
4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Internet Explorer 11 on Windows 8.1 for x64-based systems 4530677 (IE Cumulative)
4530702 (Monthly Rollup)
Important Remote Code Execution 4525106
4525243
Base: 7.5
Temporal: 6.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Yes
Interne