Microsoft security alert.

June 12, 2018

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 50 vulnerabilities that were fixed in 5 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 5 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for June 2018

    Severity
    Critical 4
    Qualys ID
    100337
    Vendor Reference
    KB4230450, KB4284815, KB4284819, KB4284826, KB4284835, KB4284855, KB4284860, KB4284874, KB4284880
    CVE Reference
    CVE-2018-0978, CVE-2018-8113, CVE-2018-8249, CVE-2018-8267
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Critical for Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    KB Articles associated with the Update:
    1) 4284826
    2) 4230450
    3) 4284815
    4) 4284880
    5) 4284860
    6) 4284874
    7) 4284819
    8) 4284835
    9) 4284855

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for the file version of %windir%\System32\mshtml.dll
    The following KBs are checked:
    The patch version is 11.0.9600.19036 (KB4284826 or KB4230450 or KB4284815)
    The patch version is 11.0.10240.17889 (KB4284860)
    The patch version is 11.0.14393.2312 (KB4284880)
    The patch version is 11.0.15063.1155 (KB4284874)
    The patch version is 11.0.16299.492 (KB4284819)
    The patch version is 11.0.17134.112 (KB4284835)
    The patch version is 10.0.9200.22464 (KB4230450 or KB4284855)
    The patch version is 9.0.8112.21231 (KB4230450)

    Consequence
    Successful exploitation of the vulnerability will lead to:

    1) Remote Code Execution
    2) Security Feature Bypass

    Solution
    For more information, Customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2018

    Severity
    Critical 4
    Qualys ID
    110319
    Vendor Reference
    KB3115197, KB3115248, KB4011026, KB4011186, KB4018387, KB4018391, KB4022151, KB4022160, KB4022169, KB4022173, KB4022174, KB4022177, KB4022179, KB4022182, KB4022183, KB4022190, KB4022191, KB4022196, KB4022197, KB4022199, KB4022203, KB4022205, KB4022209, KB4022210
    CVE Reference
    CVE-2018-8244, CVE-2018-8245, CVE-2018-8246, CVE-2018-8247, CVE-2018-8248, CVE-2018-8252, CVE-2018-8254
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft releases security updates on May 2018 to fix multiple security vulnerabilities:

    This security updates contain following KBs:
    KB3115197 KB3115248 KB4011026 KB4011186 KB4018387 KB4018391 KB4022151 KB4022160 KB4022169 KB4022173 KB4022174 KB4022177 KB4022179 KB4022182 KB4022183 KB4022190 KB4022191 KB4022196 KB4022197 KB4022199 KB4022203 KB4022205 KB4022209 KB4022210

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2018

  • Microsoft Windows Security Update June 2018

    Severity
    Critical 4
    Qualys ID
    91452
    Vendor Reference
    KB4230467, KB4234459, KB4284815, KB4284819, KB4284826, KB4284835, KB4284846, KB4284855, KB4284860, KB4284867, KB4284874, KB4284878, KB4284880, KB4294413
    CVE Reference
    CVE-2018-0982, CVE-2018-1036, CVE-2018-1040, CVE-2018-8121, CVE-2018-8140, CVE-2018-8169, CVE-2018-8175, CVE-2018-8201, CVE-2018-8205, CVE-2018-8207, CVE-2018-8208, CVE-2018-8209, CVE-2018-8210, CVE-2018-8211, CVE-2018-8212, CVE-2018-8213, CVE-2018-8214, CVE-2018-8215, CVE-2018-8216, CVE-2018-8217, CVE-2018-8218, CVE-2018-8219, CVE-2018-8221, CVE-2018-8224, CVE-2018-8225, CVE-2018-8226, CVE-2018-8231, CVE-2018-8233, CVE-2018-8239, CVE-2018-8251
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Microsoft has released Cumulative Security Updates for Windows which addresses the following vulnerabilities:

    An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions. (CVE-2018-0982)
    An elevation of privilege vulnerability exists when NTFS improperly checks access. (CVE-2018-1036)
    A denial of service vulnerability exists in the way that the Windows Code Integrity Module performs hashing.(CVE-2018-1040)
    An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.(CVE-2018-8121)
    An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. (CVE-2018-8140)
    An elevation of privilege vulnerability exists when the (Human Interface Device) HID Parser Library driver improperly handles objects in memory. (CVE-2018-8169)
    An denial of service vulnerability exists when Windows NT WEBDAV Minirdr attempts to query a WEBDAV directory. (CVE-2018-8175)
    A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. (CVE-2018-8201)

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for following file versions %windir%\System32\Ntoskrnl.exe for all affected OS:
    The patch version of 6.0.6002.24400 (KB4230467)
    The patch version of 6.1.7601.24150 (KB4284826 or KB4284867)
    The patch version of 6.2.9200.22462 (KB4284846 or KB4284855)
    The patch version of 6.3.9600.19035 (KB4284878 or KB4284815)
    The patch version of 10.0.10240.17889 (KB4284860)
    The patch version of 10.0.14393.2312 (KB4284880)
    The patch version of 10.0.15063.1155 (KB4284874)
    The patch version of 10.0.16299.492 (KB4284819)
    The patch version of 10.0.17134.111 (KB4284835)

    This QID checks for following files and its versions for Windows 2008 SP2:
    The patch version of %windir%\system32\Advapi32.dll 6.0.6002.24398 (KB4234459)
    The patch version of %windir%\System32\DriverStore\FileRepository\Hidir.sys 6.0.6002.24394 (KB4294413)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4230467
    KB4234459
    KB4284815
    KB4284819
    KB4284826
    KB4284835
    KB4284846
    KB4284855
    KB4284860
    KB4284867
    KB4284874
    KB4284878
    KB4284880
    KB4294413

  • Microsoft Edge Security Update for June 2018

    Severity
    Critical 4
    Qualys ID
    91453
    Vendor Reference
    KB4284819, KB4284835, KB4284860, KB4284874, KB4284880
    CVE Reference
    CVE-2018-0871, CVE-2018-8110, CVE-2018-8111, CVE-2018-8227, CVE-2018-8229, CVE-2018-8234, CVE-2018-8235, CVE-2018-8236
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser.

    Microsoft Edge contains the following security vulnerabilities:
    CVE-2018-0871: An information disclosure vulnerability exists when Edge improperly marks files.
    CVE-2018-8110, CVE-2018-8111, CVE-2018-8236: A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory.
    CVE-2018-8227, CVE-2018-8229: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge.
    CVE-2018-8234: An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory.
    CVE-2018-8235: A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins.

    KB Articles associated with the update:
    1) KB4284874
    2) KB4284819
    3) KB4284835
    4) KB4284880
    5) KB4284860

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 10 (1507, 1607, 1703, 1709 and 1803) and Windows Server 2016
    This QID checks for the file version of %windir%\System32\edgehtml.dll
    The following KBs are checked:
    The patch version is 11.0.15063.1155 (KB4284874)
    The patch version is 11.0.16299.492 (KB4284819)
    The patch version is 11.0.17134.112 (KB4284835)
    The patch version is 11.0.14393.2312 (KB4284880)
    The patch version is 11.0.10240.17890 (KB4284860)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.
    Solution
    Customers are advised to refer to Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Security Update (ADV180012) (Spectre/Meltdown Variant 4)

    Severity
    Critical 4
    Qualys ID
    91454
    Vendor Reference
    ADV180012
    CVE Reference
    CVE-2018-3639
    CVSS Scores
    Base 2.1 / Temporal 1.7
    Description
    On January 3 2018, Microsoft released an advisory and security updates related to hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21st, a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB) has been announced and assigned CVE-2018-3639.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008 R2, Windows 7, Windows10, Windows Server 2016
    This QID checks for following file versions %windir%\System32\Ntoskrnl.exe for all affected OS:
    The patch version of 6.0.6002.24421 (KB4340583)
    The patch version of 6.1.7601.24150 (KB4284826 or KB4284867)
    The patch version of 6.2.9200.22490(KB4338830 or KB4338820)
    The patch version of 6.3.9600.19067 (KB4338815 or KB4338824)
    The patch version of 10.0.10240.17889 (KB4284860)
    The patch version of 10.0.14393.2312 (KB4284880)
    The patch version of 10.0.15063.1155 (KB4284874)
    The patch version of 10.0.16299.492 (KB4284819)
    The patch version of 10.0.17134.111 (KB4284835)

    Consequence
    An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639.
    Solution
    Customers are advised to refer to ADV180012 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4284860

These new vulnerability checks are included in Qualys vulnerability signature 2.4.350-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100337
    • 110319
    • 91452
    • 91453
    • 91454
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.