Microsoft выпустил плановый пакет обновлений, исправляющий уязвимости в продуктах Microsoft
Microsoft выпустил плановый пакет обновлений, исправляющий уязвимости в продуктах Microsoft
Microsoft выпустила плановый пакет обновлений, исправляющих в общей сложности 88 уязвимостей в различных версиях ОС Windows и других продуктах производителя, в том числе ряд багов, эксплоиты для которых были опубликованы в открытом доступе.
Из 88 исправленных 21 проблема получила статус «критических», 66 - «важных» и 1 уязвимость расценена как «средней степени опасности».
Критические уязвимости затрагивают JavaScript движок для браузера Microsoft Edge Chakra Scripting Engine (9 уязвимостей), Microsoft Scripting Engine (4), гипервизор Hyper-V (3), Microsoft Speech API, а также Edge и Internet Explorer.
В числе прочих производитель исправил уязвимости CVE-2019-1040 и CVE-2019-1019 в протоколе аутентификации NTLM, позволяющие обойти механизмы защиты NTLM и провести атаку типа NTLM Relay. Суть атак подобного типа заключается в том, чтобы вмешаться в процесс аутентификации по протоколу NTLM и получить доступ к стороннему ресурсу с привилегиями атакуемого пользователя. Атака может быть реализована в отношении любого протокола, поддерживающего NTLM-авторизацию (SMB, HTTP, LDAP и т.д.).
Microsoft CVE Summary
This report contains detail for the following vulnerabilities:
| Tag | CVE ID | CVE Title |
|---|---|---|
| Adobe Flash Player | ADV190015 | June 2019 Adobe Flash Security Update |
| Kerberos | CVE-2019-0972 | Local Security Authority Subsystem Service Denial of Service Vulnerability |
| Microsoft Browsers | CVE-2019-1081 | Microsoft Browser Information Disclosure Vulnerability |
| Microsoft Browsers | CVE-2019-1038 | Microsoft Browser Memory Corruption Vulnerability |
| Microsoft Devices | ADV190017 | Microsoft HoloLens Remote Code Execution Vulnerabilities |
| Microsoft Devices | ADV190016 | Bluetooth Low Energy Advisory |
| Microsoft Edge | CVE-2019-1054 | Microsoft Edge Security Feature Bypass Vulnerability |
| Microsoft Exchange Server | ADV190018 | Microsoft Exchange Server Defense in Depth Update |
| Microsoft Graphics Component | CVE-2019-1018 | DirectX Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-1047 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1046 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1013 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1015 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1016 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1048 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-0977 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-0960 | Win32k Elevation of Privilege Vulnerability |
| Microsoft Graphics Component | CVE-2019-0968 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1049 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1050 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-0985 | Microsoft Speech API Remote Code Execution Vulnerability |
| Microsoft Graphics Component | CVE-2019-1010 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1009 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1011 | Windows GDI Information Disclosure Vulnerability |
| Microsoft Graphics Component | CVE-2019-1012 | Windows GDI Information Disclosure Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0905 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0974 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0904 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0906 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0908 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0909 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft JET Database Engine | CVE-2019-0907 | Jet Database Engine Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-1035 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft Office | CVE-2019-1034 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft Office SharePoint | CVE-2019-1032 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2019-1036 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2019-1031 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Office SharePoint | CVE-2019-1033 | Microsoft Office SharePoint XSS Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1002 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0991 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1080 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1023 | Scripting Engine Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0993 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0992 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1024 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0990 | Scripting Engine Information Disclosure Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0988 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0989 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1055 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1052 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1051 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-0920 | Scripting Engine Memory Corruption Vulnerability |
| Microsoft Scripting Engine | CVE-2019-1003 | Chakra Scripting Engine Memory Corruption Vulnerability |
| Microsoft Windows | CVE-2019-1069 | Task Scheduler Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1064 | Windows Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0888 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-1025 | Windows Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-1045 | Windows Network File System Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-1043 | Comctl32 Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-0710 | Windows Hyper-V Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-0709 | Windows Hyper-V Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-0722 | Windows Hyper-V Remote Code Execution Vulnerability |
| Microsoft Windows | CVE-2019-0943 | Windows ALPC Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0713 | Windows Hyper-V Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-0983 | Windows Storage Service Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0984 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0711 | Windows Hyper-V Denial of Service Vulnerability |
| Microsoft Windows | CVE-2019-0948 | Windows Event Viewer Information Disclosure Vulnerability |
| Microsoft Windows | CVE-2019-0959 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft Windows | CVE-2019-0998 | Windows Storage Service Elevation of Privilege Vulnerability |
| Servicing Stack Updates | ADV990001 | Latest Servicing Stack Updates |
| Skype for Business and Microsoft Lync | CVE-2019-1029 | Skype for Business and Lync Server Denial of Service Vulnerability |
| Team Foundation Server | CVE-2019-0996 | Azure DevOps Server Spoofing Vulnerability |
| VBScript | CVE-2019-1005 | Scripting Engine Memory Corruption Vulnerability |
| Windows Authentication Methods | CVE-2019-1040 | Windows NTLM Tampering Vulnerability |
| Windows Hyper-V | CVE-2019-0620 | Windows Hyper-V Remote Code Execution Vulnerability |
| Windows IIS | CVE-2019-0941 | Microsoft IIS Server Denial of Service Vulnerability |
| Windows Installer | CVE-2019-0973 | Windows Installer Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-1044 | Windows Secure Kernel Mode Security Feature Bypass Vulnerability |
| Windows Kernel | CVE-2019-1014 | Win32k Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-1017 | Win32k Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-1065 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-1041 | Windows Kernel Elevation of Privilege Vulnerability |
| Windows Kernel | CVE-2019-1039 | Windows Kernel Information Disclosure Vulnerability |
| Windows Media | CVE-2019-1026 | Windows Audio Service Elevation of Privilege Vulnerability |
| Windows Media | CVE-2019-1007 | Windows Audio Service Elevation of Privilege Vulnerability |
| Windows Media | CVE-2019-1027 | Windows Audio Service Elevation of Privilege Vulnerability |
| Windows Media | CVE-2019-1022 | Windows Audio Service Elevation of Privilege Vulnerability |
| Windows Media | CVE-2019-1021 | Windows Audio Service Elevation of Privilege Vulnerability |
| Windows Media | CVE-2019-1028 | Windows Audio Service Elevation of Privilege Vulnerability |
| Windows NTLM | CVE-2019-1019 | Microsoft Windows Security Feature Bypass Vulnerability |
| Windows Shell | CVE-2019-0986 | Windows User Profile Service Elevation of Privilege Vulnerability |
| Windows Shell | CVE-2019-1053 | Windows Shell Elevation of Privilege Vulnerability |
