Security Updates for Microsoft Visual Studio Products (December 2019)

high Nessus Plugin ID 131939

Synopsis

The Microsoft Visual Studio Products are affected by multiple vulnerabilities.

Description

The Microsoft Visual Studio Products are missing security updates. It is, therefore, affected by multiple vulnerabilities :

- A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. (CVE-2019-1351)

- A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
(CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387)

- A spoofing vulnerability exists in Visual Studio Live Share when a guest connected to a Live Share session is redirected to an arbitrary URL specified by the session host. An attacker who successfully exploited this vulnerability could cause a connected guest's computer to open a browser and navigate to a URL without consent from the guest. (CVE-2019-1486)

Solution

Microsoft has released Visual Studio 2017 15.9.18, Visual Studio 2019 16.0.19, and Visual Studio 2019 16.4.1 to address this issue.

See Also

http://www.nessus.org/u?12d98124

http://www.nessus.org/u?08e082ad

http://www.nessus.org/u?b4bf32ac

Plugin Details

Severity: High

ID: 131939

File Name: smb_nt_ms19_dec_visual_studio.nasl

Version: 1.7

Type: local

Agent: windows

Published: 12/10/2019

Updated: 4/4/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-1354

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-1387

Vulnerability Information

CPE: cpe:/a:microsoft:visual_studio

Required KB Items: SMB/MS_Bulletin_Checks/Possible, installed_sw/Microsoft Visual Studio

Exploit Ease: No known exploits are available

Patch Publication Date: 12/10/2019

Vulnerability Publication Date: 12/10/2019

Reference Information

CVE: CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387, CVE-2019-1486