SB2019010816 - Multiple vulnerabilities in Microsoft Visual Studio

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2019-0537)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to Visual Studio improperly discloses arbitrary file contents if the victim opens a malicious .vscontent file. A remote attacker can trick the victim into opening a malicious .vscontent file using a vulnerable version of Visual Studio and view arbitrary file contents from the computer where the victim launched Visual Studio.

2) Input validation error (CVE-ID: CVE-2019-0546)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in Visual Studio when the C++ compiler improperly handles specific combinations of C++ constructs. A remote unauthenticated attacker can trick the victim into opening a specially crafted file which was compiled with an affected version of Visual Studio

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0537
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0546