This report contains detail for the following vulnerabilities:
| Tag | CVE ID | CVE Title |
|---|---|---|
| Azure Stack | CVE-2019-1234 | Azure Stack Spoofing Vulnerability |
| Chipsets | ADV190024 | Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM) |
| Graphic Fonts | CVE-2019-1456 | OpenType Font Parsing Remote Code Execution Vulnerability |
| Microsoft Edge | CVE-2019-1413 | Microsoft Edge Security Feature Bypass Vulnerability |
| Microsoft Exchange Server | CVE-2019-1373 | Microsoft Exchange Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2019-1441 | Win32k Graphics Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2019-1408 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1439 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1438 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1407 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1394 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1393 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1396 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1395 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1437 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1432 | DirectWrite Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1411 | DirectWrite Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1440 | Win32k Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1419 | OpenType Font Parsing Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2019-1433 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1436 | Win32k Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1412 | OpenType Font Driver Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1434 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1435 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft JET Database Engine | CVE-2019-1406 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-1445 | Microsoft Office Online Spoofing Vulnerability |
| Microsoft Office | CVE-2019-1449 | Microsoft Office ClickToRun Security Feature Bypass Vulnerability |
| Microsoft Office | CVE-2019-1446 | Microsoft Excel Information Disclosure Vulnerability |
| Microsoft Office | CVE-2019-1447 | Microsoft Office Online Spoofing Vulnerability |
| Microsoft Office | CVE-2019-1402 | Microsoft Office Information Disclosure Vulnerability |
| Microsoft Office | CVE-2019-1448 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-1457 | Microsoft Office Excel Security Feature Bypass |
| Microsoft Office SharePoint | CVE-2019-1443 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft Office SharePoint | CVE-2019-1442 | Microsoft Office Security Feature Bypass Vulnerability |
| Microsoft RPC | CVE-2019-1409 | Windows Remote Procedure Call Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1426 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1429 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1427 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1428 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1390 | VBScript Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-1383 | Windows Data Sharing Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1418 | Windows Modules Installer Service Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2018-12207 | Windows Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-1420 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1417 | Windows Data Sharing Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1415 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1374 | Windows Error Reporting Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2019-1422 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1423 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1424 | NetLogon Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2019-1382 | Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1385 | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1380 | Microsoft splwow64 Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1388 | Windows Certificate Dialog Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1391 | Windows Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-1384 | Microsoft Windows Security Feature Bypass Vulnerability |
| Microsoft Windows | CVE-2019-1405 | Windows UPnP Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1381 | Microsoft Windows Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2019-1379 | Windows Data Sharing Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1324 | Windows TCP/IP Information Disclosure Vulnerability |
| Open Source Software | CVE-2019-1370 | Open Enclave SDK Information Disclosure Vulnerability |
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates |
| Visual Studio | CVE-2019-1425 | Visual Studio Elevation of Privilege Vulnerability |
| Windows Hyper-V | CVE-2019-1398 | Windows Hyper-V Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-1310 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Hyper-V | CVE-2019-0719 | Hyper-V Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-1399 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Hyper-V | CVE-2019-1397 | Windows Hyper-V Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-0712 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Hyper-V | CVE-2019-0721 | Hyper-V Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-1389 | Windows Hyper-V Remote Code Execution Vulnerability |
| Windows Hyper-V | CVE-2019-1309 | Windows Hyper-V Denial of Service Vulnerability |
| Windows Kernel | CVE-2019-1392 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-11135 | Windows Kernel Information Disclosure Vulnerability |
| Windows Media Player | CVE-2019-1430 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability |
| Windows Subsystem for Linux | CVE-2019-1416 | Windows Subsystem for Linux Elevation of Privilege Vulnerability |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1234 MITRE NVD |
CVE Title: Azure Stack Spoofing Vulnerability
Description: A spoofing vulnerability exists when Azure Stack fails to validate certain requests. An attacker who successfully exploited the vulnerability could make requests to internal Azure Stack resources. An attacker could exploit the vulnerability by sending a specially crafted request to the Azure Stack user portal. The update addresses the vulnerability by changing how Azure Stack handles certain requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1234 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Stack | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1234 | Ronen Shustin of Check Point Research |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1374 MITRE NVD |
CVE Title: Windows Error Reporting Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application or convince a target to run a crafted application. The security update addresses the vulnerability by correcting the way WER handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1374 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1374 | Yongil Lee of Diffense https://www.diffense.com Clément Lavoillotte @clavoillotte of Almond https://twitter.com/clavoillotte,https://almond.consulting/ Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1413 MITRE NVD |
CVE Title: Microsoft Edge Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when Microsoft Edge improperly handles extension requests and fails to request host permission for all_urls. An attacker who successfully exploited this vulnerability could trick a browser into installing an extension without the user's consent. To exploit the vulnerability, the user must either browse to a malicious website or be redirected to it. In an email attack scenario, an attacker could send an email message in an attempt to convince the user to click a link to a malicious site, which then can download an extension for all_urls without the user's knowledge. In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of an enticement in an email or instant message. The security update addresses the vulnerability by correcting how Microsoft Edge handles host permissions for adding extensions. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1413 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2016 | 4525236 (Security Update) | Low | Security Feature Bypass | 4519998 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2019 | 4523205 (Security Update) | Low | Security Feature Bypass | 4519338 | Base: 4.30 Temporal: 3.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1413 | Brxxn https://hackerone.com/brxxn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1415 MITRE NVD |
CVE Title: Windows Installer Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations. To exploit the vulnerability, an attacker would require unprivileged execution on the victim system. After successfully exploiting the vulnerability, an attacker could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the way Windows Installer handles certain filesystem operations. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1415 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1415 | Polar Bear |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1416 MITRE NVD |
CVE Title: Windows Subsystem for Linux Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists due to a race condition in Windows Subsystem for Linux. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1416 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1416 | Tao Xie https://www.github.com/xietao1233 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1417 MITRE NVD |
CVE Title: Windows Data Sharing Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1417 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1417 | Nadav Markus and Yaron Samuel of Palo Alto Networks
https://www.paloaltonetworks.com/ Linshuang Li of Pinduoduo Security Team k0shl of Qihoo 360 Vulcan Team https://twitter.com/KeyZ3r0,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1418 MITRE NVD |
CVE Title: Windows Modules Installer Service Information Disclosure Vulnerability
Description: An information vulnerability exists when Windows Modules Installer Service improperly discloses file information. Successful exploitation of the vulnerability could allow the attacker to read the contents of a log file on disk. To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application. The update addresses the vulnerability by changing the way Windows Modules Installer Service discloses file information. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1418 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 3.50 Temporal: 3.20 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1418 | Edward Torkington and Phillip Langlois of NCC Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1429 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Detected | Exploitation Detected | Not Applicable | No | Yes |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1429 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4525246 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520007 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4525106 (IE Cumulative) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519974 4519976 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4525106 (IE Cumulative) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519974 4519976 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4525243 (Monthly Rollup) 4525106 (IE Cumulative) |
Critical | Remote Code Execution | 4520005 4519974 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525106 (IE Cumulative) |
Critical | Remote Code Execution | 4520005 4519974 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4525243 (Monthly Rollup) | Critical | Remote Code Execution | 4520005 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525106 (IE Cumulative) 4525235 (Monthly Rollup) |
Moderate | Remote Code Execution | 4519974 4519976 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4525106 (IE Cumulative) | Moderate | Remote Code Execution | 4519974 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520005 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4525236 (Security Update) | Moderate | Remote Code Execution | 4519998 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4523205 (Security Update) | Moderate | Remote Code Execution | 4519338 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520002 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520002 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1429 | Anonymous researcher working with iDefense Labs https://vcp.idefense.com Resecurity Inc. @resecurity_com https://www.resecurity.com,https://twitter.com/resecurity_com Clément Lecigne of Google’s Threat Analysis Group Ivan Fratric of Google Project Zero https://www.google.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1430 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Media Foundation improperly parses specially crafted QuickTime media files. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker must send a specially crafted QuickTime file to a user and convince them to open it. When opened, the malicious QuickTime file will execute code of the attacker’s choice on the target system. The security update addresses the vulnerability by ensuring Windows Media Foundation properly parses QuickTime media files. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1430 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.30 Temporal: 6.60 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1430 | Marcin 'Icewall' Noga of Cisco Talos https://talosintelligence.com/vulnerability_reports |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1432 MITRE NVD |
CVE Title: DirectWrite Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1432 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1432 | kdot working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1433 MITRE NVD |
CVE Title: Windows Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1433 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1433 | Guopengfei from Codesafe Team of Legendsec at Qi'anxin Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1434 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1434 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1434 | Guopengfei from Codesafe Team of Legendsec at Qi'anxin Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1435 MITRE NVD |
CVE Title: Windows Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1435 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1435 | Guopengfei from Codesafe Team of Legendsec at Qi'anxin Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1436 MITRE NVD |
CVE Title: Win32k Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory and kernel memory - unintentional read access to memory contents in kernel space from a user mode process. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1436 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1436 | Seonung Jang (@Seonunghardt) of Stealien https://twitter.com/Seonunghardt,http://www.stealien.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1437 MITRE NVD |
CVE Title: Windows Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1437 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1437 | Keqi Hu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1438 MITRE NVD |
CVE Title: Windows Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1438 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1438 | bee13oy of Qihoo 360 Vulcan Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1439 MITRE NVD |
CVE Title: Windows GDI Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1439 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1439 | Keqi Hu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1440 MITRE NVD |
CVE Title: Win32k Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how win32k handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory and kernel memory - unintentional read access to memory contents in kernel space from a user mode process. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1440 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1440 | Gil Dabah |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1441 MITRE NVD |
CVE Title: Win32k Graphics Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability.
The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1441 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Critical | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4520003 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1441 | Lee JinYoung of Codemize Security Research Lab
http://codemize.co.kr Hossein Lotfi of Trend Micro Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-11135 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. Why is Microsoft documenting a CVE that was issued by Intel? On November 12, 2019, Intel published a technical advisory around Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. Microsoft has released security updates to help mitigate this vulnerability. Please note the following:
Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-11135 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-11135 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1456 MITRE NVD |
CVE Title: OpenType Font Parsing Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by either convincing a user to open a specially crafted document, or by convincing a user to visit a webpage that contains specially crafted embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1456 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Remote Code Execution | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Remote Code Execution | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Remote Code Execution | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Remote Code Execution | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Remote Code Execution | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Remote Code Execution | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Remote Code Execution | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Remote Code Execution | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1456 | Hossein Lotfi of Trend Micro Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2018-12207 MITRE NVD |
CVE Title: Windows Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory. FAQ: Why is Microsoft documenting a CVE that was issued by Intel? On November 12, 2019, Intel published a technical advisory around Intel® Processor Machine Check Error vulnerability that is assigned CVE-2018-12207. Microsoft has released updates to help mitigate this vulnerability for guest Virtual Machines (VMs). By default, the protection is disabled. Enabling this protection requires action on the Host. Please follow the guidance around registry setting outlined in Microsoft Knowledge Base article 4530989 to enable this mitigation on a Hyper-V host system. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2018-12207 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Denial of Service | 4520011 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Denial of Service | 4520011 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525235 (Monthly Rollup) | Important | Denial of Service | 4519976 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Denial of Service | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Denial of Service | 4520005 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4520003 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 4.70 Temporal: 4.20 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2018-12207 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1457 MITRE NVD |
CVE Title: Microsoft Office Excel Security Feature Bypass
Description: A security feature bypass vulnerability exists in Microsoft Office software by not enforcing macro settings on an Excel document. The security feature bypass by itself does not allow arbitrary code execution. To successfully exploit the vulnerability, an attacker would have to embed a control in an Excel worksheet that specifies a macro should be run. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Microsoft Office software. The security update addresses the vulnerability by enforcing macro settings on Excel documents. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1457 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2016 for Mac | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for Mac | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-1457 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| ADV190024 MITRE NVD |
CVE Title: Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM)
Description: Executive SummaryThis advisory addresses CVE-2019-16863. A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key confidentiality protection for a specific algorithm (ECDSA). It is important to note that this is a TPM firmware vulnerability, and not a vulnerability in the Windows operating system or a specific application. Currently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm. Therefore if your system is affected and requires the installation of TPM firmware updates, you might need to re-enroll in security services you are running to remediate those affected services. For more details contact the TPM manufacturer - www.st.com/tpm-update. Advisory DetailsImportant This vulnerability is present in a specific vendor’s TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 2.0, but not 1.2, and not in the TPM standard or in Microsoft Windows. Although Windows security features do not depend on the affected algorithm, third party software may rely on keys generated by the TPM and that would be affected by the vulnerability. Even after a TPM firmware update is installed, you might need to carry out additional remediation steps to force regeneration of previously created affected TPM keys. FAQ1. What systems are at risk from these vulnerabilities?
2. What is a TPM? See Trusted Platform Module Technology Overview 3. What is the associated CVE for this vulnerability? See CVE-2019-16863 4. Have there been any active attacks detected? No. When this security advisory was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. 5. Has this vulnerability been publicly disclosed? No. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. 6. I have a Surface device. Is my device affected by this vulnerability? No. Microsoft Surface devices do not have these chipsets installed. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| ADV190024 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| None affected | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| ADV190024 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||||||||||||||||||||||||||||||||
| ADV990001 MITRE NVD |
CVE Title: Latest Servicing Stack Updates
Description: This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update. FAQ: 1. Why are all of the Servicing Stack Updates (SSU) critical updates? The SSUs are classified as Critical updates. This does not indicate that there is a critical vulnerability being addressed in the update. 2. When was the most recent SSU released for each version of Microsoft Windows? Please refer to the following table for the most recent SSU release. We will update the entries any time a new SSU is released:
3. Where can I find more information about the Servicing Stack Updates? You can find more information by following these links: Mitigations: None Workarounds: None Revision: 5.0 2019-02-12T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation); Windows 10 Version 1703; Windows 10 Version 1709 and Windows Server, version 1709 (Server Core Installation); Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information. 3.0 2018-12-11T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1709, Windows Server, version 1709 (Server Core Installation), Windows 10 Version 1803, and Windows Server, version 1803 (Server Core Installation). See the FAQ section for more information. 9.0 2019-06-11T07:00:00 A Servicing Stack Update has been released for Windows 10 version 1607, Windows Server 2016, Windows 10 version 1809, and Windows Server 2019. See the FAQ section for more information. 10.0 2019-06-14T07:00:00 A Servicing Stack Update has been released for Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). See the FAQ section for more information. 5.1 2019-02-13T08:00:00 In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1809 for x64-based Systems to 4470788. This is an informational change only. 16.0 2019-11-12T08:00:00 A Servicing Stack Update has been released for all supported versions of Windows. See the FAQ section for more information. 14.0 2019-09-10T07:00:00 A Servicing Stack Update has been released for all supported versions of Windows. See the FAQ section for more information. 15.1 2019-10-09T07:00:00 In the Security Updates table, corrected the KB Article Number and Download links for Server 2012, the 32-bit and x64-based versions of Windows 8.1, and Server 2012 R2. See the FAQ section for more information. 8.0 2019-05-14T07:00:00 A Servicing Stack Update has been released for Windows 10 version 1507, Windows 10 version 1607, Windows Server 2016, Windows 10 version 1703, Windows 10 version 1709, Windows Server, version 1709, Windows 10 version 1803, Windows Server, version 1803, Windows 10 version 1809, Windows Server 2019, Windows 10 version 1809 and Windows Server, version 1809. See the FAQ section for more information. 7.0 2019-04-09T07:00:00 A Servicing Stack Update has been released for Windows Server 2008 and Windows Server 2008 (Server Core installation); Windows 10 version 1809, Windows Server 2019, and Windows Server 2019 (Server Core installation). See the FAQ section for more information. 4.0 2019-01-08T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1703. See the FAQ section for more information. 2.0 2018-12-05T08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information. 3.2 2018-12-12T08:00:00 Fixed a typo in the FAQ. 3.1 2018-12-11T08:00:00 Updated supersedence information. This is an informational change only. 15.0 2019-10-08T07:00:00 A Servicing Stack Update has been released for all supported versions of Windows 10 (including Windows Server 2016 and 2019), Windows 8.1, Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information. 13.0 2019-07-26T07:00:00 A Servicing Stack Update has been released for Windows 10 version 1903 and Windows Server, version 1903 (Server Core installation). See the FAQ section for more information. 1.1 2018-11-14T08:00:00 Corrected the link to the Windows Server 2008 Servicing Stack Update. This is an informational change only. 11.0 2019-07-09T07:00:00 A Servicing Stack Update has been released for all supported versions of Windows 10 (including Windows Server 2016 and 2019), Windows 8.1, Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information. 1.2 2018-12-03T08:00:00 FAQs have been added to further explain Security Stack Updates. The FAQs include a table that indicates the most recent SSU release for each Windows version. This is an informational change only. 12.0 2019-07-24T07:00:00 A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information. 1.0 2018-11-13T08:00:00 Information published. 5.2 2019-02-14T08:00:00 In the Security Updates table, corrected the Servicing Stack Update (SSU) for Windows 10 Version 1803 for x64-based Systems to 4485449. This is an informational change only. 6.0 2019-03-12T07:00:00 A Servicing Stack Update has been released for Windows 7 and Windows Server 2008 R2 and Windows Server 2008 R2 (Server Core installation). See the FAQ section for more information. |
Critical | Defense in Depth |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| ADV990001 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4523200 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 for x64-based Systems | 4523200 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1607 for 32-bit Systems | 4520724 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1607 for x64-based Systems | 4520724 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1709 for 32-bit Systems | 4523202 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1709 for ARM64-based Systems | 4523202 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1709 for x64-based Systems | 4523202 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1803 for 32-bit Systems | 4523203 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1803 for ARM64-based Systems | 4523203 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1803 for x64-based Systems | 4523203 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1809 for 32-bit Systems | 4523204 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1809 for ARM64-based Systems | 4523204 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1809 for x64-based Systems | 4523204 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1903 for 32-bit Systems | 4524569 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1903 for ARM64-based Systems | 4524569 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 10 Version 1903 for x64-based Systems | 4524569 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 7 for 32-bit Systems Service Pack 1 | 4523206 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 7 for x64-based Systems Service Pack 1 | 4523206 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 8.1 for 32-bit systems | 4524445 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows 8.1 for x64-based systems | 4524445 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4526478 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4526478 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4526478 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4526478 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4526478 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4523206 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4523206 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4523206 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2012 | 4523208 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2012 (Server Core installation) | 4523208 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2012 R2 | 4524445 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2012 R2 (Server Core installation) | 4524445 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Windows Server 2016 | 4521858 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2016 (Server Core installation) | 4521858 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2019 | 4521862 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server 2019 (Server Core installation) | 4521862 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4521861 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4521863 (Servicing Stack Update) | Critical | Defense in Depth | None | Base: N/A Temporal: N/A Vector: N/A |
Yes |
| CVE ID | Acknowledgements |
| ADV990001 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0712 MITRE NVD |
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. The update addresses the vulnerability by modifying how virtual machines access the Hyper-V Network Switch. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0712 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Denial of Service | 4520011 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0712 | Nick Freeman of Capsule8 https://capsule8.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0719 MITRE NVD |
CVE Title: Hyper-V Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Windows Hyper-V Network Switch validates guest operating system network traffic. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. 1.0 2019-09-10T07:00:00 Added information to the CVE article. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0719 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0719 | Jordan Rabet, Microsoft Offensive Security Research Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-0721 MITRE NVD |
CVE Title: Hyper-V Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Windows Hyper-V Network Switch validates guest operating system network traffic. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-0721 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 8.00 Temporal: 7.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-0721 | Jordan Rabet, Microsoft Offensive Security Research Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1309 MITRE NVD |
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. The update addresses the vulnerability by modifying how virtual machines access the Hyper-V Network Switch. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1309 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1309 | HongZhenhao of IceSword Lab, Qihoo 360 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1310 MITRE NVD |
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. The update addresses the vulnerability by modifying how virtual machines access the Hyper-V Network Switch. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1310 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.80 Temporal: 5.20 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1310 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1324 MITRE NVD |
CVE Title: Windows TCP/IP Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an attacker would have to send specially crafted IPv6 packets to a remote Windows computer. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting how the Windows handles IPv6 flowlabel data in packets. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is device information like resource ids, sas tokens, user properties, and other sensitive information. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1324 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.30 Temporal: 4.90 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1324 | Amit Klein, Benny Pinkas and Jonathan Berger with Bar Ilan University http://www.securitygalore.com/,http://http://www.pinkas.net,https://cyber.biu.ac.il/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1370 MITRE NVD |
CVE Title: Open Enclave SDK Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information stored in the Enclave. To exploit this vulnerability, an attacker would have to successfully compromise the host application running the enclave. The attacker can then pivot to the enclave and exploit this vulnerability without user interaction. The security update addresses the vulnerability by modifying how Open Enclave SDK handle objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Enclave memory read - unprivileged write to enclave memory from a host application, which can leak memory contents of the enclave. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1370 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Open Enclave SDK | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H/E:P/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1370 | Frank Piessens (imec-DistriNet, KU Leuven) Jethro Beekman (Fortanix) David Oswald (The University of Birmingham, UK) Jo van Bulck (imec-DistriNet, KU Leuven) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1373 MITRE NVD |
CVE Title: Microsoft Exchange Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the logged in user. Exploitation of this vulnerability requires that a user run cmdlets via PowerShell. The security update addresses the vulnerability by correcting how Exchange serializes its metadata. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1373 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2013 Cumulative Update 23 | 4523171 (Security Update) | Critical | Remote Code Execution | 4509409 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2016 Cumulative Update 13 | 4523171 (Security Update) | Critical | Remote Code Execution | 4515832 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2016 Cumulative Update 14 | 4523171 (Security Update) | Critical | Remote Code Execution | 4515832 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2019 Cumulative Update 2 | 4523171 (Security Update) | Critical | Remote Code Execution | 4515832 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Exchange Server 2019 Cumulative Update 3 | 4523171 (Security Update) | Critical | Remote Code Execution | 4515832 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1373 | Pham Van Khanh from Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1379 MITRE NVD |
CVE Title: Windows Data Sharing Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1379 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1379 | Linshuang Li with Pinduoduo Security Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1380 MITRE NVD |
CVE Title: Microsoft splwow64 Elevation of Privilege Vulnerability
Description: A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls.. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1380 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1380 | Anonymous working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Wayne Low of Fortinet’s FortiGuard Labs https://fortiguard.com/ Keqi Hu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1381 MITRE NVD |
CVE Title: Microsoft Windows Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations. An attacker who successfully exploited the vulnerability could potentially access unauthorized files. To exploit this vulnerability, an authenticated attacker could run a specially crafted application in user mode. The update addresses the vulnerability by checking files paths for symbolic links. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1381 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 6.60 Temporal: 5.90 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1381 | Edward Torkington of NCC Group https://www.nccgroup.trust Phillip Langlois of NCC Group https://www.nccgroup.trust |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1382 MITRE NVD |
CVE Title: Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when ActiveX Installer service may allow access to files without proper authentication. An attacker who successfully exploited the vulnerability could potentially access unauthorized files. To exploit this vulnerability, an authenticated attacker could run a specially crafted application on the victim system. The update addresses the vulnerability by validated file permissions before accessing them. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1382 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1382 | Edward Torkington of NCC Group https://www.nccgroup.trust Phillip Langlois of NCC Group https://www.nccgroup.trust |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1383 MITRE NVD |
CVE Title: Windows Data Sharing Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1383 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1383 | k0shl of Qihoo 360 Vulcan team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1384 MITRE NVD |
CVE Title: Microsoft Windows Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could access another machine using the original user privileges. The issue has been addressed by changing how NTLM validates network authentication messages. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1384 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Security Feature Bypass | 4520011 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Security Feature Bypass | 4520011 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Security Feature Bypass | 4520005 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Security Feature Bypass | 4520005 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Security Feature Bypass | 4520005 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Security Feature Bypass | 4520002 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4520003 4519976 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Security Feature Bypass | 4519985 4520007 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Security Feature Bypass | 4519985 4520007 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Security Feature Bypass | 4520005 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Security Feature Bypass | 4520005 |
Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.50 Temporal: 7.60 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1384 | Danyal Drew of The Missing Link https://www.themissinglink.com.au |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1385 MITRE NVD |
CVE Title: Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files. To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges. The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1385 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1385 | Polar Bear kkokkokye@THEORI working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Andrea Pierini & Christian Danieli https://twitter.com/decoder_it,https://twitter.com/padovah4ck |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1388 MITRE NVD |
CVE Title: Windows Certificate Dialog Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by ensuring Windows Certificate Dialog properly enforces user privileges. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1388 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1388 | Eduardo Braun Prado working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1389 MITRE NVD |
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1389 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1389 | Joe Bialek, MSRC Vulnerabilities and Mitigations Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1390 MITRE NVD |
CVE Title: VBScript Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1390 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Internet Explorer 10 on Windows Server 2012 | 4525246 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520007 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for 32-bit Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 | 4525106 (IE Cumulative) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519974 4519976 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 | 4525106 (IE Cumulative) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519974 4519976 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | 4525243 (Monthly Rollup) 4525106 (IE Cumulative) |
Critical | Remote Code Execution | 4520005 4519974 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525106 (IE Cumulative) |
Critical | Remote Code Execution | 4520005 4519974 |
Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows RT 8.1 | 4525243 (Monthly Rollup) | Critical | Remote Code Execution | 4520005 | Base: 7.50 Temporal: 6.70 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525106 (IE Cumulative) 4525235 (Monthly Rollup) |
Moderate | Remote Code Execution | 4519974 4519976 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 | 4525106 (IE Cumulative) | Moderate | Remote Code Execution | 4519974 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520005 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2016 | 4525236 (Security Update) | Moderate | Remote Code Execution | 4519998 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 11 on Windows Server 2019 | 4523205 (Security Update) | Moderate | Remote Code Execution | 4519338 | Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520002 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525106 (IE Cumulative) |
Moderate | Remote Code Execution | 4520002 4519974 |
Base: 6.40 Temporal: 5.80 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1390 | Anonymous working with iDefense Labs https://vcp.idefense.com Yuki Chen of Qihoo 360 Vulcan Team http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1391 MITRE NVD |
CVE Title: Windows Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to cause a target system to stop responding. The update addresses the vulnerability by correcting how Windows handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1391 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Denial of Service | 4520011 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Denial of Service | 4520011 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Denial of Service | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Denial of Service | 4520005 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Denial of Service | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4520003 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1391 | Walied Assar https://twitter.com/waleedassar |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1392 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1392 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.00 Temporal: 6.30 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1392 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1393 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1393 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1393 | Marcin Wiazowski working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1394 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1394 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1394 | Marcin Wiazowski working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1395 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1395 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1395 | Marcin Wiazowski working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1396 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1396 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1396 | Marcin Wiazowski working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1397 MITRE NVD |
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1397 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1397 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1398 MITRE NVD |
CVE Title: Windows Hyper-V Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1398 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.60 Temporal: 6.80 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1398 | Joe Bialek, MSRC Vulnerabilities and Mitigations Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1399 MITRE NVD |
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine to crash. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application. The security update addresses the vulnerability by resolving a number of conditions where Hyper-V would fail to prevent a guest operating system from sending malicious requests. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1399 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Denial of Service | 4520004 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Denial of Service | 4520002 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Denial of Service | 4519976 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Denial of Service | 4519985 4520007 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Denial of Service | 4520005 |
Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Denial of Service | 4519998 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Denial of Service | 4519338 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Denial of Service | 4520008 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Denial of Service | 4517389 | Base: 5.40 Temporal: 4.90 Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1399 | Microsoft Virtualization Security Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1402 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how Microsoft Office handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1402 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 4484127 (Security Update) | Important | Information Disclosure | 4475599 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 4484127 (Security Update) | Important | Information Disclosure | 4475599 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 RT Service Pack 1 | 4484119 (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (32-bit editions) | 4484119 (Security Update) | Important | Information Disclosure | 4475611 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (64-bit editions) | 4484119 (Security Update) | Important | Information Disclosure | 4475611 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (32-bit edition) | 4484113 (Security Update) | Important | Information Disclosure | 4475591 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 4484113 (Security Update) | Important | Information Disclosure | 4475591 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-1402 | kdot |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1405 MITRE NVD |
CVE Title: Windows UPnP Service Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application. The update addresses the vulnerability by correcting how the Windows UPnP service accesses COM objects. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1405 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1405 | Edward Torkington and Phillip Langlois of NCC Group https://www.nccgroup.trust |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1406 MITRE NVD |
CVE Title: Jet Database Engine Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1406 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Remote Code Execution | 4520011 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Remote Code Execution | 4520011 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Remote Code Execution | 4520004 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Remote Code Execution | 4520004 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Remote Code Execution | 4520004 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Remote Code Execution | 4520005 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Remote Code Execution | 4520005 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Remote Code Execution | 4520005 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Remote Code Execution | 4520002 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4520003 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Remote Code Execution | 4519976 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Remote Code Execution | 4519985 4520007 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Remote Code Execution | 4519985 4520007 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Remote Code Execution | 4520005 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Remote Code Execution | 4520005 |
Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Remote Code Execution | 4519998 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Remote Code Execution | 4519338 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Remote Code Execution | 4520008 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Remote Code Execution | 4517389 | Base: 6.70 Temporal: 6.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1406 | kdot Shih-Fong Peng (@_L4ys) of TeamT5 https://twitter.com/_L4ys,https://www.teamt5.org/ Bar Lahav and Gal De Leon of Palo Alto Networks https://www.paloaltonetworks.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1407 MITRE NVD |
CVE Title: Windows Graphics Component Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. The update addresses the vulnerability by correcting the way in which the Microsoft Graphics Component handles objects in memory and preventing unintended elevation from user mode. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1407 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1407 | Guopengfei from Codesafe Team of Legendsec at Qi'anxin Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1408 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Exploitation More Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1408 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Elevation of Privilege | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1408 | Marcin Wiazowski working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1409 MITRE NVD |
CVE Title: Windows Remote Procedure Call Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when the Windows Remote Procedure Call (RPC) runtime improperly initializes objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit this vulnerability, an authenticated attacker could run a specially crafted application. The update addresses the vulnerability by correcting how the Remote Procedure Call runtime initializes objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1409 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 5.50 Temporal: 5.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1409 | JunGu and ZiMi of Alibaba Orion Security Lab https://twitter.com/Bl1nnnk,https://twitter.com/YHZX_2013 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1411 MITRE NVD |
CVE Title: DirectWrite Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1411 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Information Disclosure | 4520011 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Information Disclosure | 4520004 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Information Disclosure | 4519998 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Information Disclosure | 4519338 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Information Disclosure | 4520008 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Information Disclosure | 4517389 | Base: 4.40 Temporal: 4.00 Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1411 | kdot kdot working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1412 MITRE NVD |
CVE Title: OpenType Font Driver Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in Windows Adobe Type Manager Font Driver (ATMFD.dll) when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit this vulnerability, an attacker would have to log on to an affected system and open a document containing specially crafted fonts. The update addresses the vulnerability by correcting how ATMFD.dll handles objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory and kernel memory - unintentional read access to memory contents in kernel space from a user mode process. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1412 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Information Disclosure | 4520005 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Information Disclosure | 4520005 | Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Information Disclosure | 4520002 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Information Disclosure | 4520002 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4520003 4519976 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Information Disclosure | 4519976 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Information Disclosure | 4519985 4520007 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Information Disclosure | 4520005 |
Base: 5.00 Temporal: 4.50 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1412 | Hossein Lotfi working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1419 MITRE NVD |
CVE Title: OpenType Font Parsing Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by either convincing a user to open a specially crafted document, or by convincing a user to visit a webpage that contains specially crafted embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1419 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Critical | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Critical | Remote Code Execution | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Critical | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Critical | Remote Code Execution | 4520002 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Critical | Remote Code Execution | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Critical | Remote Code Execution | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Critical | Remote Code Execution | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1419 | Hossein Lotfi working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1420 MITRE NVD |
CVE Title: Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way that the dssvc.dll handles file creation allowing for a file overwrite or creation in a secured location. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the dssvc.dll properly handles this type of functionality. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1420 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1420 | Jonas Lykkegård |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1422 MITRE NVD |
CVE Title: Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way that the iphlpsvc.dll handles file creation allowing for a file overwrite. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the iphlpsvc.dll properly handles this type of functionality. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1422 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Elevation of Privilege | 4520011 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Elevation of Privilege | 4520004 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Elevation of Privilege | 4520005 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4520003 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Elevation of Privilege | 4519976 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Elevation of Privilege | 4519985 4520007 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Elevation of Privilege | 4520005 |
Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Elevation of Privilege | 4519998 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Elevation of Privilege | 4519338 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Elevation of Privilege | 4520008 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1422 | kkokkokye@THEORI working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1423 MITRE NVD |
CVE Title: Windows Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way that the StartTileData.dll handles file creation in protected locations. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by ensuring the StartTileData.dll properly handles this type of function. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1423 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Elevation of Privilege | 4517389 | Base: 7.80 Temporal: 7.00 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1423 | Conor McErlane https://www.mcerlane.co.uk <> working with Trend Micro's Zero Day Initiative https://www.zerodayinitiative.com/ Polar Bear |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1424 MITRE NVD |
CVE Title: NetLogon Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when Windows Netlogon improperly handles a secure communications channel. An attacker who successfully exploited the vulnerability could downgrade aspects of the connection allowing for further modification of the transmission. To exploit the vulnerability, an attacker would require an active man in the middle attack to be in place for the targeted traffic. The update addresses the vulnerability by modifying how Netlogon handles these connections, accounting for potential attack through a man in the middle. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1424 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 for 32-bit Systems | 4525232 (Security Update) | Important | Security Feature Bypass | 4520011 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 for x64-based Systems | 4525232 (Security Update) | Important | Security Feature Bypass | 4520011 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Important | Security Feature Bypass | 4520004 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for 32-bit Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 7 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for 32-bit systems | 4525250 (Security Only) 4525243 (Monthly Rollup) |
Important | Security Feature Bypass | 4520005 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows 8.1 for x64-based systems | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Security Feature Bypass | 4520005 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows RT 8.1 | 4525243 (Monthly Rollup) | Important | Security Feature Bypass | 4520005 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for Itanium-Based Systems Service Pack 2 | 4525239 (Security Only) 4525234 (Monthly Rollup) |
Important | Security Feature Bypass | 4520002 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | 4525234 (Monthly Rollup) 4525239 (Security Only) |
Important | Security Feature Bypass | 4520002 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4520003 4519976 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | 4525233 (Security Only) 4525235 (Monthly Rollup) |
Important | Security Feature Bypass | 4519976 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Security Feature Bypass | 4519985 4520007 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 4525253 (Security Only) 4525246 (Monthly Rollup) |
Important | Security Feature Bypass | 4519985 4520007 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Security Feature Bypass | 4520005 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 4525243 (Monthly Rollup) 4525250 (Security Only) |
Important | Security Feature Bypass | 4520005 |
Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 4525236 (Security Update) | Important | Security Feature Bypass | 4519998 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 4523205 (Security Update) | Important | Security Feature Bypass | 4519338 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1803 (Server Core Installation) | 4525237 (Security Update) | Important | Security Feature Bypass | 4520008 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| Windows Server, version 1903 (Server Core installation) | 4524570 (Security Update) | Important | Security Feature Bypass | 4517389 | Base: 8.10 Temporal: 7.30 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1424 | Tom Tervoort of www.secura.com
tom.tervoort@secura.com |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1425 MITRE NVD |
CVE Title: Visual Studio Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files. An attacker who successfully exploited this vulnerability could overwrite arbitrary files in the security context of the local system. To exploit this vulnerability, an attacker would need to trick an elevated user into downloading a malicious package, either by getting them to open a malicious project or convincing them to add a malicious package to an existing project. The vulnerabilities were introduced by NPM packages used by Visual Studio and subsequently addressed via the following two NPM advisories: Arbitrary File Overwrite - tar Arbitrary File Overwrite - fstream The update addresses the vulnerability by updating the NPM packages, which corrects how Visual Studio validates hardlinks during extraction of file archives. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1425 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Visual Studio 2017 version 15.9 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2019 version 16.0 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2019 version 16.3 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1425 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1426 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1426 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Maybe |
| Microsoft Edge (EdgeHTML-based) on Windows 10 for 32-bit Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 for x64-based Systems | 4525232 (Security Update) | Critical | Remote Code Execution | 4520011 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2016 | 4525236 (Security Update) | Moderate | Remote Code Execution | 4519998 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2019 | 4523205 (Security Update) | Moderate | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1426 | Qixun Zhao of Qihoo 360 Vulcan Team https://twitter.com/S0rryMybad,http://www.360.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1427 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1427 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Maybe |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2019 | 4523205 (Security Update) | Moderate | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1427 | MoonLiang of Tencent Security Xuanwu Lab https://xlab.tencent.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1428 MITRE NVD |
CVE Title: Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. FAQ: None Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Moderate | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1428 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| ChakraCore | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Maybe |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systems | 4525236 (Security Update) | Critical | Remote Code Execution | 4519998 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for 32-bit Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for ARM64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1709 for x64-based Systems | 4525241 (Security Update) | Critical | Remote Code Execution | 4520004 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for 32-bit Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for ARM64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1803 for x64-based Systems | 4525237 (Security Update) | Critical | Remote Code Execution | 4520008 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for 32-bit Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for ARM64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1809 for x64-based Systems | 4523205 (Security Update) | Critical | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for 32-bit Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for ARM64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1903 for x64-based Systems | 4524570 (Security Update) | Critical | Remote Code Execution | 4517389 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2016 | 4525236 (Security Update) | Moderate | Remote Code Execution | 4519998 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| Microsoft Edge (EdgeHTML-based) on Windows Server 2019 | 4523205 (Security Update) | Moderate | Remote Code Execution | 4519338 | Base: 4.20 Temporal: 3.80 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O |
Yes |
| CVE ID | Acknowledgements |
| CVE-2019-1428 | zhunki from Codesafe Team of Legendsec at Qi'anxin Group |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1442 MITRE NVD |
CVE Title: Microsoft Office Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when Microsoft Office does not validate URLs. An attacker could send a victim a specially crafted file, which could trick the victim into entering credentials. An attacker who successfully exploited this vulnerability could perform a phishing attack. The update addresses the vulnerability by ensuring Microsoft Office properly validates URLs. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1442 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Server 2019 | 4484142 (Security Update) 4484149 (Security Update) |
Important | Security Feature Bypass | 4484110 4464557 |
Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1442 | Michael Maturi FireEye https://www.fireeye.com/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1443 MITRE NVD |
CVE Title: Microsoft SharePoint Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in Microsoft SharePoint when an attacker uploads a specially crafted file to the SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could potentially leverage SharePoint functionality to obtain SMB hashes. The security update addresses the vulnerability by correcting how SharePoint checks file content. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1443 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 4484143 (Security Update) | Important | Information Disclosure | 4484111 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2010 Service Pack 2 | 4484165 (Security Update) | Important | Information Disclosure | 4484131 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Foundation 2013 Service Pack 1 | 4484157 (Security Update) | Important | Information Disclosure | 4484122 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Server 2019 | 4484142 (Security Update) | Important | Information Disclosure | 4484110 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1443 | Saif ElSherei of MSRC Vulnerabilities and Mitigations Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1445 MITRE NVD |
CVE Title: Microsoft Office Online Spoofing Vulnerability
Description: A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly. An attacker could exploit the vulnerability by sending a specially crafted request to an affected site. The attacker who successfully exploited the vulnerability could then perform cross-origin attacks on affected systems. These attacks could allow the attacker to read content that the attacker is not authorized to read, and use the victim's identity to take actions on the site on behalf of the victim. The victim needs to be authenticated for an attacker to compromise the victim. The security update addresses the vulnerability by ensuring that Office Online properly validates origins. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1445 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Office Online Server | 4484141 (Security Update) | Important | Spoofing | 4475595 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1445 | SURESH C |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1446 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created. The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1446 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Excel Services on Microsoft SharePoint Server 2010 Service Pack 2 | 4484159 (Security Update) | Important | Information Disclosure | 4462176 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2010 Service Pack 2 (32-bit editions) | 4484164 (Security Update) | Important | Information Disclosure | 4484130 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2010 Service Pack 2 (64-bit editions) | 4484164 (Security Update) | Important | Information Disclosure | 4484130 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 RT Service Pack 1 | 4484158 (Security Update) | Important | Information Disclosure | 4484123 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (32-bit editions) | 4484158 (Security Update) | Important | Information Disclosure | 4484123 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (64-bit editions) | 4484158 (Security Update) | Important | Information Disclosure | 4484123 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (32-bit edition) | 4484144 (Security Update) | Important | Information Disclosure | 4484112 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 4484144 (Security Update) | Important | Information Disclosure | 4484112 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2010 Service Pack 2 (32-bit editions) | 4484160 (Security Update) | Important | Information Disclosure | 4475569 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2010 Service Pack 2 (64-bit editions) | 4484160 (Security Update) | Important | Information Disclosure | 4475569 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 RT Service Pack 1 | 4484152 (Security Update) | Important | Information Disclosure | 4475558 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (32-bit editions) | 4484152 (Security Update) | Important | Information Disclosure | 4475558 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2013 Service Pack 1 (64-bit editions) | 4484152 (Security Update) | Important | Information Disclosure | 4475558 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (32-bit edition) | 4484148 (Security Update) | Important | Information Disclosure | 4475554 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 4484148 (Security Update) | Important | Information Disclosure | 4475554 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office Online Server | 4484141 (Security Update) | Important | Information Disclosure | 4475595 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SharePoint Enterprise Server 2013 Service Pack 1 | 4484151 (Security Update) | Important | Information Disclosure | 4462215 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-1446 | Scott Brothers of Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1447 MITRE NVD |
CVE Title: Microsoft Office Online Spoofing Vulnerability
Description: A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications handlers correctly. An attacker could exploit the vulnerability by sending a specially crafted request to an affected site. The attacker who successfully exploited the vulnerability could then perform cross-origin attacks on affected systems. These attacks could allow the attacker to read content that the attacker is not authorized to read, and use the victim's identity to take actions on the site on behalf of the victim. The victim needs to be authenticated for an attacker to compromise the victim. The security update addresses the vulnerability by ensuring that Office Online properly validates origins. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | N/A | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1447 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Office Online Server | 4484141 (Security Update) | Important | Spoofing | 4475595 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2019-1447 | SURESH C |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1448 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1448 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Excel 2010 Service Pack 2 (32-bit editions) | 4484164 (Security Update) | Important | Remote Code Execution | 4484130 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2010 Service Pack 2 (64-bit editions) | 4484164 (Security Update) | Important | Remote Code Execution | 4484130 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 RT Service Pack 1 | 4484158 (Security Update) | Important | Remote Code Execution | 4484123 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (32-bit editions) | 4484158 (Security Update) | Important | Remote Code Execution | 4484123 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2013 Service Pack 1 (64-bit editions) | 4484158 (Security Update) | Important | Remote Code Execution | 4484123 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (32-bit edition) | 4484144 (Security Update) | Important | Remote Code Execution | 4484112 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 4484144 (Security Update) | Important | Remote Code Execution | 4484112 | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Office 2016 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-1448 | Marcin 'Icewall' Noga of Cisco Talos https://talosintelligence.com/vulnerability_reports |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2019-1449 MITRE NVD |
CVE Title: Microsoft Office ClickToRun Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists in the way that Office Click-to-Run (C2R) components handle a specially crafted file, which could lead to a standard user, any AppContainer sandbox, and Office LPAC Protected View to escalate privileges to SYSTEM. To exploit this bug, an attacker would have to run a specially crafted file. The security update addresses how C2R components handle these files. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0 2019-11-12T08:00:00 Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Exploitation Less Likely | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2019-1449 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 32-bit Systems | Click to Run (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Office 365 ProPlus for 64-bit Systems | Click to Run (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2019-1449 | Ben Faull of Microsoft Corporation |