Security Advisory Notices

CVE-2019-1077 Visual Studio Extension Auto Update Vulnerability

An elevation of privilege vulnerability exists when the Visual Studio Extension auto-update process improperly performs certain file operations. An attacker who successfully exploited this vulnerability could delete files in arbitrary locations. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system. The security update addresses the vulnerability by securing locations the Visual Studio Extension auto-update performs file operations in.

CVE-2019-1075 ASP.NET Core Spoofing Vulnerability

A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect. An attacker who successfully exploited the vulnerability could redirect a targeted user to a malicious website. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.

The security update addresses the vulnerability by correcting how ASP.NET Core parses URLs. Details can be found in the .NET Core release notes.

CVE-2019-1113 WorkflowDesigner XOML deserialization allows code execution

A XOML file referencing certain types could cause random code to be executed when the XOML file is opened in Visual Studio. There is now a restriction on what types are allowed to be used in XOML files. If a XOML file containing one of the newly unauthorized types is opened, a message is displayed explaining that the type is unauthorized.

For further information, please refer to https://support.microsoft.com/en-us/help/4512190/remote-code-execution-vulnerability-if-types-are-specified-in-xoml.

These are the issues addressed in 15.9.14:

• Fixed a bug causing Visual Studio 2017 crashes when switching branches.
• Fixed a bug causing internal compiler error (fbtctree.cpp', line 5540) during code analysis.
• Fixed a performance regression in memcpy/memset for Ryzen processors.
• Updated Service Fabric tooling to support the 6.5 Service Fabric release.
• Enabled screen reader to announce TeamExplorer's notifications properly on .NET 4.8.
• VS2017 15.8 Internal compiler error ('msc1.cpp', line 1518): Conflict between preprocessor and #import.
• ICE in PREfast 19.16.27023.1 (15.9 RTW).

Security Advisory Notices

• Visual Studio Extension Auto Update Vulnerability
• Visual Studio WorkFlowMarkUpDeserializerRCE Vulernability
• ASP.NET Core Spoofing Vulnerability 

• Fixed known issue: Merge tools in "Resolve conflicts" not shown.

• Fixed known issue: The debugger's worker process (msvsmon.exe) unexpectedly exited. Debugging will be aborted.
• Fixed known issue: VS 2019 crashes when debugging async code.
• Fixed known issue: Xamarin problem following update to VS2019 16.1.
• Fixed known issue: [Xcode11] [Simulator] Updating to Xcode 11 stops the simulator from launching.
• Improved the reliability of Visual Studio by fixing an intermittent issue that happens when opening solutions.
• Fixed a crash with the search functionality in locals / autos / watch windows when the IDE is not in break mode. 

SQL Server 2019 community technology preview 3.1 is now available 

• Fixed known issue: Fixed VSiX Installer throwing an IOException when executed from Visual Studio installation folder.
• Fixed known issue: Removed double-prompting for survey on uninstall.
• Enabled a help link for new users to get help choosing a workload. 

Today, we are announcing .NET Core 3.0 Preview 6. It includes updates for compiling assemblies for improved startup, optimizing applications for size with linker and EventPipe improvements. We’ve also released new Docker images for Alpine on ARM64. 

SQL Server Management Studio (SSMS) 18.1 is now generally available 

• Fixed a bug that caused Code Analysis to stop running on some C++ projects.
• Fixed a bug in the Schema Compare Tool where adding tables with an empty schema failed but was shown as successful.
• Fixed a TypeScript build issue when the selected language version is lower than the latest installed.
• Fixed a Database unresolved reference to object error.
• Improved performance issues on loading Visual Studio.
• Fixed known issue: No snapshot created for C++ native code in Memory Usage tool in the Diagnostic Tools window while debugging.. 

• XAML designer for UWP - control properties not displayed
• UWP XAML designer doesn't update elements on updating XAML code
• XAML properties and document structure
• Properties window not showing the properties when clicking an object
• Unable to see properties of any items
• Installation error when trying to connect to the Mac: "The Xamarin.iOS version installed on 'x' (12.8.0.2) is newer than your version".
• Fixed right click solution name in titlebar VS crash bug.
• Improved performance for customers with the Azure workload installed.
• Corrected errors during restore and build on SDK-based projects that use 3rd party SDKs to target UWP platforms.
• Fixed a bug in C# compiler where it was not properly warning customers about incomplete interface implementations.
• Improved error messaging in Visual Studio Tools for Kubernetes.
• Fixed error when adding a comment in PR for SymbolCheck.