Microsoft security alert.
January 9, 2018
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 32 vulnerabilities that were fixed in 5 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 5 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Windows Adobe Flash Player Security Update for January 2018
- Severity
- Urgent 5
- Qualys ID
- 100327
- Vendor Reference
- ADV180001
- CVE Reference
- CVE-2017-11306, CVE-2018-4871
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
This security update resolves vulnerabilities which are described in the Adobe Security Bulletin APSB18-01, if installed on any supported edition of Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 10 Version 1703, Windows 10 Version 1709, Windows 8.1, or Windows RT 8.1.
QID Detection Logic:
Operating Systems: Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
This authenticated QID checks for the file version of %windir%\System32\Macromed\Flash\Flash.ocx for file versions lesser than28.0.0.137.KB Articles associated with this update are: KB4056887
- Consequence
- Successful exploitation allows an attacker to execute code remotely and bypass security restrictions to gain access to sensitive information.
- Solution
-
Customers are advised to follow ADV180001 for instructions pertaining to the remediation of these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV180001
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018
- Severity
- Critical 4
- Qualys ID
- 110310
- Vendor Reference
- KB3114998, KB3141547, KB4011021, KB4011201, KB4011213, KB4011273, KB4011574, KB4011579, KB4011580, KB4011599, KB4011602, KB4011605, KB4011606, KB4011607, KB4011609, KB4011610, KB4011611, KB4011615, KB4011622, KB4011626, KB4011627, KB4011632, KB4011636, KB4011637, KB4011639, KB4011641, KB4011642, KB4011643, KB4011648, KB4011651, KB4011653, KB4011656, KB4011657, KB4011658, KB4011659, KB4011660
- CVE Reference
- CVE-2018-0789, CVE-2018-0790, CVE-2018-0791, CVE-2018-0792, CVE-2018-0793, CVE-2018-0794, CVE-2018-0795, CVE-2018-0796, CVE-2018-0797, CVE-2018-0798, CVE-2018-0799, CVE-2018-0801, CVE-2018-0802, CVE-2018-0804, CVE-2018-0805, CVE-2018-0806, CVE-2018-0807, CVE-2018-0812, CVE-2018-0819, CVE-2018-0845, CVE-2018-0848, CVE-2018-0849, CVE-2018-0862
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Microsoft releases security updates on January 2018 to fix multiple security vulnerabilities:
This security updates contain following KBs:
KB3114998 KB3141547 KB4011021 KB4011201 KB4011213 KB4011273 KB4011574 KB4011579 KB4011580 KB4011599 KB4011602 KB4011605 KB4011606 KB4011607 KB4011609 KB4011610 KB4011611 KB4011615 KB4011622 KB4011626 KB4011627 KB4011632 KB4011636 KB4011637 KB4011639 KB4011641 KB4011642 KB4011643 KB4011648 KB4011651 KB4011653 KB4011656 KB4011657 KB4011658 KB4011659 KB4011660 QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
- An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2018
-
Microsoft .NET Framework Security Update January 2018
- Severity
- Critical 4
- Qualys ID
- 91427
- Vendor Reference
- .NET Core Issue 51, .NET Core Issue 52, KB4054170, KB4054171, KB4054172, KB4054174, KB4054175, KB4054176, KB4054177, KB4054181, KB4054182, KB4054183, KB4054993, KB4054994, KB4054995, KB4054996, KB4054997, KB4054998, KB4054999, KB4055000, KB4055001, KB4055002, KB4056888, KB4056891, KB4056892, KB4056893
- CVE Reference
- CVE-2018-0764, CVE-2018-0786
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
A security feature bypass vulnerability exists when Microsoft .NET Framework (and .NET Core) components do not completely validate certificates. (CVE-2018-0786)
A Denial of Service vulnerability exists when .NET, and .NET core, improperly process XML documents. (CVE-2018-0764)
KB4054170,KB4054171,KB4054172,KB4054174,KB4054175,KB4054176,KB4054177,KB4054181,KB4054182,KB4054183,KB4054993,KB4054994,KB4054995,KB4054996,KB4054997,KB4054998,KB4054999,KB4055000,KB4055001,KB4055002,KB4056888,KB4056891,KB4056892,KB4056893 are covered in this QID.
This security update is rated Important for supported versions of Microsoft .NET Framework.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of system.xml.dll
- Consequence
- Successful exploitation allows an attacker to cause denial of service and bypass the security features.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
.NET Framework Jan 2018
KB4055265
KB4055266
KB4055266
KB4055269
KB4055270
KB4055271
KB4055272
KB4055532
KB4056888
KB4056890
KB4056891
KB4056892
KB4056893
-
Microsoft Security Update for SQL Server (ADV180002) (Spectre/Meltdown)
- Severity
- Critical 4
- Qualys ID
- 91424
- Vendor Reference
- ADV180002, KB4073225
- CVE Reference
- CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
- CVSS Scores
- Base 4.7 / Temporal 3.9
- Description
-
Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as "speculative execution side-channel attacks" that affect many modern processors and operating systems including Intel, AMD, and ARM.
Microsoft has released several updates to help mitigate these vulnerabilities. Affected Versions:
SQL Server 2008, SQL Server 2008R2, SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2017QID Detection Logic:
This authenticated QID checks for vulnerable MSSQL versions lesser than 2007.100.6556.0, 2009.100.6560.0, 2011.110.6260.1, 2011.110.6615.2, 2011.110.7462.6, 2014.120.5214.6, 2014.120.5571.0, 2015.130.1745.2, 2015.130.2218.0, 2015.130.4210.6, 2015.130.4466.4, 2017.140.2000.63, 2017.140.3015.40
Note: Customers are advised to refer to SQL Server Guidance to protect against speculative execution side-channel vulnerabilities to patch the SQL Server. - Consequence
-
Successful exploitation could allow an attacker to obtain sensitive data, such as passwords and crypto-keys from the targeted system.
- Solution
-
Customers are advised to refer to ADV180002 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4073225 Windows(SQL Server)
-
Microsoft Internet Explorer Security Update for January 2018 (ADV180002) (Spectre/Meltdown)
- Severity
- Critical 4
- Qualys ID
- 100326
- Vendor Reference
- ADV180002, KB4056568, KB4056888, KB4056890, KB4056891, KB4056892, KB4056893, KB4056894, KB4056895, KB4056896
- CVE Reference
- CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-0762, CVE-2018-0772
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.
Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Critical for Internet Explorer 11 (IE 11).
The Security Update addresses the vulnerabilities by fixing:
As per ADV180002CVE-2017-5753, CVE-2017-5754, CVE-2017-5715 affect Internet Explorer 11 only
KB Articles associated with the Update:
1) 4056568
2) 4056893
3) 4056890
4) 4056891
5) 4056892
6) 4056888
7) 4056894
8) 4056895
9) 4056896QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1 Windows10, Windows Server 2012, Windows RT 8.1 Windows Server 2012 R2, Windows Server 2016
This QID checks for the file version of %windir%\System32\mshtml.dll
The following KBs are checked:
The patch version is 9.0.8112.21097 (KB4056568)
The patch version is 10.0.9200.22332 (KB4056568 or KB4056896)
The patch version is 11.0.9600.18879 (KB4056568 or KB4056894 or KB4056895)
The patch version is 11.0.10240.17738 (KB4056893)
The patch version is 11.0.10586.1356(KB4056888)
The patch version is 11.0.14393.2007 (KB4056890)
The patch version is 11.0.15063.850(KB4056891)
The patch version is 11.0.16299.192 (KB4056892)
- Consequence
-
Successful exploitation of the vulnerability allows:
1) Remote Code Execution
2) Information Disclosure - Solution
-
For more information, Customers are advised to refer the Security Update Guide.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
These new vulnerability checks are included in Qualys vulnerability signature 2.4.236-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100327
- 110310
- 91427
- 91424
- 100326
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.