【安全威胁通告】微软发布10月补丁修复61个安全问题
2019-10-09
综述
微软于周二发布了10月安全更新补丁,修复了61个从简单的欺骗攻击到远程执行代码的安全问题,产品涉及Azure、Internet Explorer、Microsoft Browsers、Microsoft Devices、Microsoft Dynamics、Microsoft Edge、Microsoft Graphics Component、Microsoft JET Database Engine、Microsoft Office、Microsoft Office SharePoint、Microsoft sc
相关信息如下:
产品 |
CVE编号 |
CVE标题 |
严重程度 |
Azure |
CVE-2019-1372 |
Azure App Service远程代码执行漏洞 |
Critical |
Internet Explorer |
CVE-2019-1371 |
Internet Explorer内存破坏漏洞 |
Important |
Microsoft Browsers |
CVE-2019-0608 |
Microsoft Browser欺骗漏洞 |
Important |
Microsoft Browsers |
CVE-2019-1357 |
Microsoft Browser欺骗漏洞 |
Important |
Microsoft Devices |
CVE-2019-1314 |
Windows 10 mobiles安全功能绕过漏洞 |
Important |
Microsoft Dynamics |
CVE-2019-1375 |
Microsoft Dynamics 365 (On-Premise) Cross Site sc |
Important |
Microsoft Edge |
CVE-2019-1356 |
Microsoft Edge based on Edge HTML信息泄露漏洞 |
Important |
Microsoft Graphics Component |
CVE-2019-1361 |
Microsoft Graphics Components信息泄露漏洞 |
Important |
Microsoft Graphics Component |
CVE-2019-1362 |
Win32k特权提升漏洞 |
Important |
Microsoft Graphics Component |
CVE-2019-1363 |
Windows GDI信息泄露漏洞 |
Important |
Microsoft Graphics Component |
CVE-2019-1364 |
Win32k特权提升漏洞 |
Important |
Microsoft JET Database Engine |
CVE-2019-1358 |
Jet Database Engine远程代码执行漏洞 |
Important |
Microsoft JET Database Engine |
CVE-2019-1359 |
Jet Database Engine远程代码执行漏洞 |
Important |
Microsoft Office |
CVE-2019-1327 |
Microsoft Excel远程代码执行漏洞 |
Important |
Microsoft Office |
CVE-2019-1331 |
Microsoft Excel远程代码执行漏洞 |
Important |
Microsoft Office SharePoint |
CVE-2019-1070 |
Microsoft Office SharePoint XSS Vulnerability |
Important |
Microsoft Office SharePoint |
CVE-2019-1328 |
Microsoft SharePoint欺骗漏洞 |
Important |
Microsoft Office SharePoint |
CVE-2019-1329 |
Microsoft SharePoint特权提升漏洞 |
Important |
Microsoft Office SharePoint |
CVE-2019-1330 |
Microsoft SharePoint特权提升漏洞 |
Important |
Microsoft sc |
CVE-2019-1060 |
MS XML远程代码执行漏洞 |
Critical |
Microsoft sc |
CVE-2019-1307 |
Chakra sc |
Critical |
Microsoft sc |
CVE-2019-1308 |
Chakra sc |
Critical |
Microsoft sc |
CVE-2019-1238 |
vb |
Critical |
Microsoft sc |
CVE-2019-1239 |
vb |
Critical |
Microsoft sc |
CVE-2019-1335 |
Chakra sc |
Critical |
Microsoft sc |
CVE-2019-1366 |
Chakra sc |
Critical |
Microsoft Windows |
CVE-2019-1341 |
Windows Power Service特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1342 |
Windows Error Reporting Manager特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1344 |
Windows Code Integrity Module信息泄露漏洞 |
Important |
Microsoft Windows |
CVE-2019-1346 |
Windows拒绝服务漏洞 |
Important |
Microsoft Windows |
CVE-2019-1347 |
Windows拒绝服务漏洞 |
Important |
Microsoft Windows |
CVE-2019-1311 |
Windows Imaging API远程代码执行漏洞 |
Important |
Microsoft Windows |
CVE-2019-1315 |
Windows Error Reporting Manager特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1316 |
Microsoft Windows Setup特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1317 |
Microsoft Windows拒绝服务漏洞 |
Important |
Microsoft Windows |
CVE-2019-1318 |
Microsoft Windows Transport Layer Security欺骗漏洞 |
Important |
Microsoft Windows |
CVE-2019-1319 |
Windows Error Reporting特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1320 |
Microsoft Windows特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1321 |
Microsoft Windows CloudStore特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1322 |
Microsoft Windows特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1325 |
Windows Redirected Drive Buffering System特权提升漏洞 |
Moderate |
Microsoft Windows |
CVE-2019-1338 |
Windows NTLM安全功能绕过漏洞 |
Important |
Microsoft Windows |
CVE-2019-1339 |
Windows Error Reporting Manager特权提升漏洞 |
Important |
Microsoft Windows |
CVE-2019-1340 |
Microsoft Windows特权提升漏洞 |
Important |
Open Source Software |
CVE-2019-1369 |
Open Enclave SDK信息泄露漏洞 |
Important |
Secure Boot |
CVE-2019-1368 |
Windows Secure Boot安全功能绕过漏洞 |
Important |
Servicing Stack Updates |
ADV990001 |
Latest Servicing Stack Updates |
Critical |
SQL Server |
CVE-2019-1313 |
SQL Server Management Studio信息泄露漏洞 |
Important |
SQL Server |
CVE-2019-1376 |
SQL Server Management Studio信息泄露漏洞 |
Important |
Windows Hyper-V |
CVE-2019-1230 |
Hyper-V信息泄露漏洞 |
Important |
Windows IIS |
CVE-2019-1365 |
Microsoft IIS Server特权提升漏洞 |
Important |
Windows Installer |
CVE-2019-1378 |
Windows 10 Update Assistant特权提升漏洞 |
Important |
Windows Kernel |
CVE-2019-1343 |
Windows拒绝服务漏洞 |
Important |
Windows Kernel |
CVE-2019-1345 |
Windows Kernel信息泄露漏洞 |
Important |
Windows Kernel |
CVE-2019-1334 |
Windows Kernel信息泄露漏洞 |
Important |
Windows NTLM |
CVE-2019-1166 |
Windows NTLM Tampering Vulnerability |
Important |
Windows RDP |
CVE-2019-1326 |
Windows Remote Desktop Protocol (RDP)拒绝服务漏洞 |
Important |
Windows RDP |
CVE-2019-1333 |
Remote Desktop Client远程代码执行漏洞 |
Critical |
Windows Update Stack |
CVE-2019-1323 |
Microsoft Windows Update Client特权提升漏洞 |
Important |
Windows Update Stack |
CVE-2019-1336 |
Microsoft Windows Update Client特权提升漏洞 |
Important |
Windows Update Stack |
CVE-2019-1337 |
Windows Update Client信息泄露漏洞 |
Important |
修复建议
微软官方已经发布更新补丁,请及时进行补丁更新。
附件
ADV990001 - Latest Servicing Stack Updates
CVE ID |
Vulnerability Desc |
Maximum Severity Rating |
Vulnerability Impact |
||||||||||||||||||||||||||||||||||||
CVE Title:Latest Servicing Stack Updates This is a list of the latest servicing stack updates for each operating system. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
1. Why are all of the Servicing Stack Updates (SSU) critical updates? The SSUs are classified as Critical updates. This does not indicate that there is a critical vulnerability being addressed in the update. 2. When was the most recent SSU released for each version of Microsoft Windows? Please refer to the following table for the most recent SSU release. We will update the entries any time a new SSU is released:
A Servicing Stack Update has been released for Windows Server 2008 and Windows Server 2008 (Server Core installation); Windows 10 version 1809 Windows Server 2019 and Windows Server 2019 (Server Core installation). See the FAQ section for more information. 5.0 02/12/2019 08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1607 Windows Server 2016 and Windows Server 2016 (Server Core installation); Windows 10 Version 1703; Windows 10 Version 1709 and Windows Server version 1709 (Server Core Installation); Windows 10 Version 1803 and Windows Server version 1803 (Server Core Installation). See the FAQ section for more information. 11.0 07/09/2019 07:00:00 A Servicing Stack Update has been released for all supported versions of Windows 10 (including Windows Server 2016 and 2019) Windows 8.1 Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information. 5.2 02/14/2019 08:00:00 In the Security Updates table corrected the Servicing Stack Update (SSU) for Windows 10 Version 1803 for x64-based Systems to 4485449. This is an informational change only. 12.0 07/24/2019 07:00:00 A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information. 3.0 12/11/2018 08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1709 Windows Server version 1709 (Server Core Installation) Windows 10 Version 1803 and Windows Server version 1803 (Server Core Installation). See the FAQ section for more information. 6.0 03/12/2019 07:00:00 A Servicing Stack Update has been released for Windows 7 and Windows Server 2008 R2 and Windows Server 2008 R2 (Server Core installation). See the FAQ section for more information. 9.0 06/11/2019 07:00:00 A Servicing Stack Update has been released for Windows 10 version 1607 Windows Server 2016 Windows 10 version 1809 and Windows Server 2019. See the FAQ section for more information. 8.0 05/14/2019 07:00:00 A Servicing Stack Update has been released for Windows 10 version 1507 Windows 10 version 1607 Windows Server 2016 Windows 10 version 1703 Windows 10 version 1709 Windows Server version 1709 Windows 10 version 1803 Windows Server version 1803 Windows 10 version 1809 Windows Server 2019 Windows 10 version 1809 and Windows Server version 1809. See the FAQ section for more information. 4.0 01/08/2019 08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1703. See the FAQ section for more information. 15.0 10/08/2019 07:00:00 A Servicing Stack Update has been released for all supported versions of Windows 10 (including Windows Server 2016 and 2019) Windows 8.1 Windows Server 2012 R2 and Windows Server 2012. See the FAQ section for more information. 14.0 09/10/2019 07:00:00 A Servicing Stack Update has been released for all supported versions of Windows. See the FAQ section for more information. 3.1 12/11/2018 08:00:00 Updated supersedence information. This is an informational change only. 3.2 12/12/2018 08:00:00 Fixed a typo in the FAQ. 1.1 11/14/2018 08:00:00 Corrected the link to the Windows Server 2008 Servicing Stack Update. This is an informational change only. 1.0 11/13/2018 08:00:00 Information published. 2.0 12/05/2018 08:00:00 A Servicing Stack Update has been released for Windows 10 Version 1809 and Windows Server 2019. See the FAQ section for more information. 1.2 12/03/2018 08:00:00 FAQs have been added to further explain Security Stack Updates. The FAQs include a table that indicates the most recent SSU release for each Windows version. This is an informational change only. 13.0 07/26/2019 07:00:00 A Servicing Stack Update has been released for Windows 10 version 1903 and Windows Server version 1903 (Server Core installation). See the FAQ section for more information. 5.1 02/13/2019 08:00:00 In the Security Updates table corrected the Servicing Stack Update (SSU) for Windows 10 Version 1809 for x64-based Systems to 4470788. This is an informational change only. 10.0 06/14/2019 07:00:00 A Servicing Stack Update has been released for Windows 10 version 1903 and Windows Server version 1903 (Server Core installation). See the FAQ section for more information. |
Critical |
Defense in Depth |
Affected Software
The following tables list the affected software details for the vulnerability.
ADV990001 |
||||||
Product |
KB Article |
Severity |
Impact |
Supersedence |
CVSS Score Set |
Restart Required |
Windows 7 for 32-bit Systems Service Pack 1 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 7 for x64-based Systems Service Pack 1 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2012 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2012 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 8.1 for 32-bit systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 8.1 for x64-based systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2012 R2 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2012 R2 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2016 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1607 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1607 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2016 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1703 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1703 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1709 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1709 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1803 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1803 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server version 1803 (Server Core Installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1803 for ARM64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1809 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1809 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1809 for ARM64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2019 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2019 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1709 for ARM64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1903 for 32-bit Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1903 for x64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows 10 Version 1903 for ARM64-based Systems |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server version 1903 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 for Itanium-Based Systems Service Pack 2 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 for 32-bit Systems Service Pack 2 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 for x64-based Systems Service Pack 2 |
Critical |
Defense in Depth |
Base: N/A |
Yes |
||
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) |
Critical |
Defense in Depth |
Base: N/A |
Yes |
CVE-2019-0608 - Microsoft Browser Spoofing Vulnerability
CVE ID |
Vulnerability Desc |
Maximum Severity Rating |
Vulnerability Impact |
CVE Title:Microsoft Browser Spoofing Vulnerability A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerability the user must click a specially crafted URL. In an email attack scenario an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. In a web-based attack scenario an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website typically by way of enticement in an email or instant message and then convince the user to interact with content on the website. The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.
Information published. |
Important |
Spoofing |
Affected Software
The following tables list the affected software details for the vulnerability.
CVE-2019-0608 |
||||||
Product |
KB Article |
Severity |
Impact |
Supersedence |
CVSS Score Set |
Restart Required |
Internet Explorer 9 on Windows Server 2008 for 32-bit Systems Service Pack 2 |
Low |
Spoofing |
4516026 |
Base: 2.4 |
Yes |
|
Internet Explorer 9 on Windows Server 2008 for x64-based Systems Service Pack 2 |
Low |
Spoofing |
4516026 |
Base: 2.4 |
Yes |
|
Internet Explorer 11 on Windows 7 for 32-bit Systems Service Pack 1 |
Important |
Spoofing |
4524157 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 7 for x64-based Systems Service Pack 1 |
Important |
Spoofing |
4524157 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
Low |
Spoofing |
4524157 |
Base: 2.4 |
Yes |
|
Internet Explorer 11 on Windows Server 2012 |
Low |
Spoofing |
4524135 |
Base: 2.4 |
Yes |
|
Internet Explorer 11 on Windows 8.1 for 32-bit systems |
Important |
Spoofing |
4524156 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 8.1 for x64-based systems |
Important |
Spoofing |
4524156 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows Server 2012 R2 |
Low |
Spoofing |
4524156 |
Base: 2.4 |
Yes |
|
Internet Explorer 11 on Windows RT 8.1 |
4520005 Monthly Rollup |
Important |
Spoofing |
4524156 |
Base: 4.3 |
Yes |
Internet Explorer 11 on Windows 10 for 32-bit Systems |
Important |
Spoofing |
4524153 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 for x64-based Systems |
Important |
Spoofing |
4524153 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows Server 2016 |
Low |
Spoofing |
4524152 |
Base: 2.4 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1607 for 32-bit Systems |
Important |
Spoofing |
4524152 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1607 for x64-based Systems |
Important |
Spoofing |
4524152 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems |
Important |
Spoofing |
4524151 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems |
Important |
Spoofing |
4524151 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1709 for 32-bit Systems |
Important |
Spoofing |
4524150 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1709 for x64-based Systems |
Important |
Spoofing |
4524150 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1803 for 32-bit Systems |
Important |
Spoofing |
4524149 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1803 for x64-based Systems |
Important |
Spoofing |
4524149 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1803 for ARM64-based Systems |
Important |
Spoofing |
4524149 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1809 for 32-bit Systems |
Important |
Spoofing |
4524148 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1809 for x64-based Systems |
Important |
Spoofing |
4524148 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1809 for ARM64-based Systems |
Important |
Spoofing |
4524148 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows Server 2019 |
Low |
Spoofing |
4524148 |
Base: 2.4 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1709 for ARM64-based Systems |
Important |
Spoofing |
4524150 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1903 for 32-bit Systems |
Important |
Spoofing |
4524147 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1903 for x64-based Systems |
Important |
Spoofing |
4524147 |
Base: 4.3 |
Yes |
|
Internet Explorer 11 on Windows 10 Version 1903 for ARM64-based Systems |
Important |
Spoofing |
4524147 |
Base: 4.3 |
Yes |
|
Internet Explorer 10 on Windows Server 2012 |
Low |
Spoofing |
4524135 |
Base: 2.4 |
Yes |
|
Microsoft Edge (EdgeHTML-based) on Windows 10 for 32-bit Systems |
Important |
Spoofing |
4524153 |
Base: 4.3 |
Yes |
|
Microsoft Edge (EdgeHTML-based) on Windows 10 for x64-based Systems |
Important |
Spoofing |
4524153 |
Base: 4.3 |
Yes |
|
Microsoft Edge (EdgeHTML-based) on Windows Server 2016 |
Low |
Spoofing |
4524152 |
Base: 4.3 |
Yes |
|
Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for 32-bit Systems |
Important |
Spoofing |
4524152 |
Base: 4.3 |
Yes |
|
Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1607 for x64-based Systems |
Important |
Spoofing |
4524152 |
Base: 4.3 |
Yes |
|
Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1703 for 32-bit Systems |
Important |
Spoofing |
4524151 |
Base: 4.3 |
Yes |