Cloud Platform
Solutions
Subscriptions
Cloud platform apps
Customers
Partners
Community
Support
Company
Login

Microsoft security alert.

July 10, 2018

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 47 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying our FreeScan service.

Vulnerability details

Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for July 2018

    Severity
    Critical 4
    Qualys ID
    100339
    Vendor Reference
    KB4338814, KB4338815, KB4338818, KB4338819, KB4338825, KB4338826, KB4338829, KB4338830, KB4339093
    CVE Reference
    CVE-2018-0949, CVE-2018-8242, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296
    CVSS Scores
    Base 7.6 / Temporal 5.6
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Critical for Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    KB Articles associated with the Update:
    1) 4338818
    2) 4339093
    3) 4338815
    4) 4338814
    5) 4338829
    6) 4338826
    7) 4338825
    8) 4338819
    9) 4338830

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for the file version of %windir%\System32\mshtml.dll
    The following KBs are checked:
    The patch version is 11.0.9600.19081 (KB4338818 or KB4339093 - Windows Server 2008 R2, Windows 7,)
    The patch version is 11.0.9600.19061 (KB4339093 or KB4338815 - Windows 8.1, Windows RT 8.1, Windows Server 2012 R2)
    The patch version is 11.0.10240.17914 (KB4284860)
    The patch version is 11.0.14393.2363 (KB4284880)
    The patch version is 11.0.15063.1206 (KB4284874)
    The patch version is 11.0.16299.547 (KB4284819)
    The patch version is 11.0.17134.165 (KB4284835)
    The patch version is 10.0.9200.22500 (KB4339093 or KB4338830)
    The patch version is 9.0.8112.21250 (KB4339093)

    Consequence
    Successful exploitation of the vulnerability will lead to:

    1) Remote Code Execution
    2) Security Feature Bypass

    Solution
    For more information, Customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Adobe Flash Player Security Update for July 2018 (ADV180017)

    Severity
    Urgent 5
    Qualys ID
    100340
    Vendor Reference
    ADV180017
    CVE Reference
    CVE-2018-5007, CVE-2018-5008
    CVSS Scores
    Base 10 / Temporal 7.4
    Description
    This security update resolves vulnerabilities in Adobe Flash Player that is installed on any supported edition of Windows Server version 1803, Windows 10 Version 1803, Windows Server 2016 Version 1709, Windows 10 Version 1709, Windows RT, Windows 10 Version 1703, Windows Server 2016, Windows 10 Version 1607, Windows 10 RTM, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, and Windows Server 2012.

    QID Detection Logic:
    This authenticated QID checks for the file version of %windir%\System32\Macromed\Flash\Flash.ocx for file versions lesser than 30.0.0.134.

    The KB Article associated with this update is: KB4338832

    Consequence
    Successful exploitation allows an attacker to execute code remotely and bypass security restrictions to gain access to sensitive information.

    Solution
    Customers are advised to follow KB4338832 for instructions pertaining to the remediation of these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV180017 Windows(Flash)

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2018

    Severity
    Critical 4
    Qualys ID
    110320
    Vendor Reference
    KB4011202, KB4018338, KB4018351, KB4022200, KB4022202, KB4022218, KB4022224, KB4022228, KB4022235, KB4022243, KB4032214
    CVE Reference
    CVE-2018-8238, CVE-2018-8281, CVE-2018-8299, CVE-2018-8300, CVE-2018-8310, CVE-2018-8311, CVE-2018-8312, CVE-2018-8323
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    Microsoft releases security updates on July 2018 to fix multiple security vulnerabilities:

    This security updates contain following KBs:
    KB4011202 KB4018338 KB4018351 KB4022200 KB4022202 KB4022218 KB4022224 KB4022228 KB4022235 KB4022243 KB4032214

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2018

  • Microsoft Lync and Skype for Business Security Update for July 2018

    Severity
    Critical 4
    Qualys ID
    110321
    Vendor Reference
    KB4022221, KB4022225
    CVE Reference
    CVE-2018-8238, CVE-2018-8311
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    This security update resolves vulnerabilities in Skype for Business and Microsoft Lync 2013 that could allow remote code execution by sending a specially crafted email or instant message or by getting a user to open a malicious email attachment.

    The update also fixes a Security Feature Bypass vulnerability which can allow an attacker to execute arbitrary command by forcing a user to click a link to a malicious file. Affected Products:
    Microsoft Lync 2013 Service Pack 1
    Skype for Business 2016

    KB Articles associated with this update: 4022221, 4022225

    QID Detection Logic:
    This authenticated QID detects file versions of Microsoft Lync and Skype for Business (lync.exe) lesser than 16.0.4717.1000 (KB4022221) and 15.0.5049.1000 (KB4022225)

    Consequence
    Successful exploitation of the vulnerability will lead to:

    1) Remote Code Execution
    2) Security Feature Bypass

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Security Update July 2018

    Severity
    Critical 4
    Qualys ID
    91456
    Vendor Reference
    KB4291391, KB4293756, KB4295656, KB4338814, KB4338815, KB4338818, KB4338819, KB4338820, KB4338823, KB4338824, KB4338825, KB4338826, KB4338829, KB4338830, KB4339291, KB4339503, KB4339854, KB4340583
    CVE Reference
    CVE-2018-8206, CVE-2018-8222, CVE-2018-8282, CVE-2018-8304, CVE-2018-8307, CVE-2018-8308, CVE-2018-8309, CVE-2018-8313, CVE-2018-8314
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    A denial of service vulnerability exists when Windows improperly handles File Transfer Protocol (FTP) connections.(CVE-2018-8206)
    A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. (CVE-2018-8222)
    An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. (CVE-2018-8282)
    A denial of service vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. (CVE-2018-8304)
    A security feature bypass vulnerability exists when Microsoft WordPad improperly handles embedded OLE objects. (CVE-2018-8307)
    An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. (CVE-2018-8308)
    A denial of service vulnerability exists when Windows improperly handles objects in memory. (CVE-2018-8309)
    An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions. (CVE-2018-8313)
    An elevation of privilege vulnerability exists when Windows fails a check, allowing a sandbox escape. (CVE-2018-8314)

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for following file versions %windir%\System32\Win32k.sys for all affected OS except Windows 10 and Windows 16:
    The patch version of 6.0.6002.24417 (KB4339854)
    The patch version of 6.1.7601.24187 (KB4338818 or KB4338823)
    The patch version of 6.2.9200.22486 (KB4338820 or KB4338830)
    The patch version of 6.3.9600.19064 (KB4338815 or KB4338824)

    This QID checks for following file versions %windir%\System32\Win32kfull.sys for Windows 10 and Windows 16:
    The patch version of 10.0.10240.17914 (KB4338829)
    The patch version of 10.0.14393.2363 (KB4338814)
    The patch version of 10.0.15063.1206 (KB4338826)
    The patch version of 10.0.16299.547 (KB4338825)
    The patch version of 10.0.17134.165 (KB4338819)

    This QID checks for following files and its versions for Windows 2008 SP2:
    The patch version of %windir%\System32\Advapi32.dll 6.0.6002.24412 (KB4339291)
    The patch version of %windir%\System32\Dnsapi.dll 6.0.6002.24412 (KB4291391)
    The patch version of %windir%\system32\Mpsdrv.sys 6.0.6002.24411 (KB4293756)
    The patch version of %windir%\System32\drivers\tcpip.sys 6.0.6002.24408 (KB4295656)
    The patch version of %windir%\system32\Csrsrv.dll 6.0.6002.24421 (KB4340583)
    The patch version of %windir%\system32\Shell32.dll 6.0.6002.24414 (KB4339503)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4291391
    KB4293756
    KB4295656
    KB4338814
    KB4338815
    KB4338818
    KB4338819
    KB4338820
    KB4338823
    KB4338824
    KB4338825
    KB4338826
    KB4338829
    KB4338830
    KB4339291
    KB4339503
    KB4339854
    KB4340583

  • Microsoft .NET Framework Security Update July 2018

    Severity
    Critical 4
    Qualys ID
    91457
    Vendor Reference
    .Net Core July 2018, KB4338415, KB4338416, KB4338417, KB4338418, KB4338419, KB4338420, KB4338421, KB4338422, KB4338423, KB4338424, KB4338600, KB4338601, KB4338602, KB4338604, KB4338605, KB4338606, KB4338610, KB4338611, KB4338612, KB4338613, KB4338814, KB4338819, KB4338825, KB4338826, KB4338829
    CVE Reference
    CVE-2018-8202, CVE-2018-8260, CVE-2018-8284, CVE-2018-8356
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2018-8202)

    A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. (CVE-2018-8260)

    A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. (CVE-2018-8284)

    A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates. (CVE-2018-8356)

    KB4338415,KB4338416,KB4338417,KB4338418,KB4338419,KB4338420,KB4338421,KB4338422,KB4338423,KB4338424,KB4338600,KB4338601,KB4338602,KB4338604,KB4338605,KB4338606,KB4338610,KB4338611,KB4338612,KB4338613,KB4338814,KB4338819,KB4338825,KB4338826,KB4338829 are covered in this QID

    This security update is rated Important for supported versions of Microsoft .NET Framework.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of mscorlib.dll

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    .NET Framework July 2018

  • Microsoft Visual Studio Security Update for July 2018

    Severity
    Critical 4
    Qualys ID
    91458
    Vendor Reference
    CVE-2018-8172, CVE-2018-8232
    CVE Reference
    CVE-2018-8172, CVE-2018-8232
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft Visual Studio is affected by a Remote Code Execution Vulnerability that attackers can exploit by forcing a user to open a specially crafted file.(CVE-2018-8172)

    An attacker can add code to an application, which modifies data in an unintended manner. (CVE-2018-8232)

    Affected Software:
    Microsoft Visual Studio 2010 Service Pack 1
    Microsoft Visual Studio 2012 Update 5 Microsoft Visual Studio 2013 Update 5
    Microsoft Visual Studio 2015 Update 3
    Microsoft Visual Studio 2017
    Microsoft Visual Studio 2017 Version 15.7.5
    Microsoft Visual Studio 2017 Version 15.8 Preview

    QID Detection Logic:
    This authenticated QID verifies the file versions of Microsoft.VisualStudio.XamlUI.dll for Visual Studio 2010 SP1 and XDesProc.exe for later versions from the following registry entries:
    HKLM\SOFTWARE\Microsoft\VisualStudio.0\InstallDir
    HKLM\SOFTWARE\Wow6432Node\Microsoft\VisualStudio.0\InstallDir
    HKLM\SOFTWARE\Microsoft\VisualStudio.0\InstallDir
    HKLM\SOFTWARE\Wow6432Node\Microsoft\VisualStudio.0\InstallDir
    HKLM\SOFTWARE\Microsoft\VisualStudio\SxS\VS7
    HKLM\SOFTWARE\Wow6432Node\Microsoft\VisualStudio\SxS\VS7

    Consequence
    Successful exploitation of the vulnerabilities will lead to Remote Code Execution. The vulnerabilities can also allow an attacker to add code to an application, which modifies data in an unintended manner.

    Solution
    For more information, Customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Edge Security Update for July 2018

    Severity
    Urgent 5
    Qualys ID
    91460
    Vendor Reference
    KB4338814, KB4338819, KB4338825, KB4338826, KB4338829
    CVE Reference
    CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8276, CVE-2018-8278, CVE-2018-8279, CVE-2018-8280, CVE-2018-8286, CVE-2018-8287, CVE-2018-8288, CVE-2018-8289, CVE-2018-8290, CVE-2018-8291, CVE-2018-8294, CVE-2018-8297, CVE-2018-8301, CVE-2018-8324, CVE-2018-8325
    CVSS Scores
    Base 10 / Temporal 7.4
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser.

    Microsoft Edge is vulnerable to multiple issues.

    KB Articles associated with the update:
    1) KB4338814
    2) KB4338829
    3) KB4338826
    4) KB4338825
    5) KB4338819

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 10 (1507, 1607, 1703, 1709 and 1803) and Windows Server 2016
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.17914 (KB4338829)
    The patch version is 11.0.14393.2363 (KB4338814)
    The patch version is 11.0.15063.1206 (KB4338826)
    The patch version is 11.0.16299.547 (KB4338825)
    The patch version is 11.0.17134.165 (KB4338819)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Customers are advised to refer to Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

These new vulnerability checks are included in Qualys vulnerability signature 2.4.370-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100339
    • 100340
    • 110320
    • 110321
    • 91456
    • 91457
    • 91458
    • 91460
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.