Microsoft security alert.
July 10, 2018
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 46 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for July 2018
- Severity
- Critical 4
- Qualys ID
- 100339
- Vendor Reference
- KB4338814, KB4338815, KB4338818, KB4338819, KB4338825, KB4338826, KB4338829, KB4338830, KB4339093
- CVE Reference
- CVE-2018-0949, CVE-2018-8242, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.
Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Critical for Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.
KB Articles associated with the Update:
1) 4338818
2) 4339093
3) 4338815
4) 4338814
5) 4338829
6) 4338826
7) 4338825
8) 4338819
9) 4338830QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
This QID checks for the file version of %windir%\System32\mshtml.dll
The following KBs are checked:
The patch version is 11.0.9600.19081 (KB4338818 or KB4339093 - Windows Server 2008 R2, Windows 7,)
The patch version is 11.0.9600.19061 (KB4339093 or KB4338815 - Windows 8.1, Windows RT 8.1, Windows Server 2012 R2)
The patch version is 11.0.10240.17914 (KB4284860)
The patch version is 11.0.14393.2363 (KB4284880)
The patch version is 11.0.15063.1206 (KB4284874)
The patch version is 11.0.16299.547 (KB4284819)
The patch version is 11.0.17134.165 (KB4284835)
The patch version is 10.0.9200.22500 (KB4339093 or KB4338830)
The patch version is 9.0.8112.21250 (KB4339093)
- Consequence
-
Successful exploitation of the vulnerability will lead to:
1) Remote Code Execution
2) Security Feature Bypass
- Solution
-
For more information, Customers are advised to refer the Security Update Guide.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
-
Microsoft Windows Adobe Flash Player Security Update for July 2018 (ADV180017)
- Severity
- Urgent 5
- Qualys ID
- 100340
- Vendor Reference
- ADV180017
- CVE Reference
- CVE-2018-5007, CVE-2018-5008
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
This security update resolves vulnerabilities in Adobe Flash Player that is installed on any supported edition of
Windows Server version 1803, Windows 10 Version 1803, Windows Server 2016 Version 1709, Windows 10 Version 1709, Windows RT, Windows 10 Version 1703, Windows Server 2016, Windows 10 Version 1607, Windows 10 RTM, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, and Windows Server 2012.
QID Detection Logic:
This authenticated QID checks for the file version of %windir%\System32\Macromed\Flash\Flash.ocx for file versions lesser than 30.0.0.134.The KB Article associated with this update is: KB4338832
- Consequence
-
Successful exploitation allows an attacker to execute code remotely and bypass security restrictions to gain access to sensitive information.
- Solution
-
Customers are advised to follow KB4338832 for instructions pertaining to the remediation of these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV180017 Windows(Flash)
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2018
- Severity
- Critical 4
- Qualys ID
- 110320
- Vendor Reference
- KB4011202, KB4018338, KB4018351, KB4022200, KB4022202, KB4022218, KB4022224, KB4022228, KB4022235, KB4022243, KB4032214
- CVE Reference
- CVE-2018-8238, CVE-2018-8281, CVE-2018-8299, CVE-2018-8300, CVE-2018-8310, CVE-2018-8311, CVE-2018-8312, CVE-2018-8323
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft releases security updates on July 2018 to fix multiple security vulnerabilities:
This security updates contain following KBs:
KB4011202 KB4018338 KB4018351 KB4022200 KB4022202 KB4022218 KB4022224 KB4022228 KB4022235 KB4022243 KB4032214QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
- Successful exploitation allows an attacker to execute arbitrary code.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2018
-
Microsoft Lync and Skype for Business Security Update for July 2018
- Severity
- Critical 4
- Qualys ID
- 110321
- Vendor Reference
- KB4022221, KB4022225
- CVE Reference
- CVE-2018-8238, CVE-2018-8311
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
This security update resolves vulnerabilities in Skype for Business and Microsoft Lync 2013 that could allow remote code execution by sending a specially crafted email or instant message or by getting a user to open a malicious email attachment.
The update also fixes a Security Feature Bypass vulnerability which can allow an attacker to execute arbitrary command by forcing a user to click a link to a malicious file. Affected Products:
Microsoft Lync 2013 Service Pack 1
Skype for Business 2016KB Articles associated with this update: 4022221, 4022225
QID Detection Logic:
This authenticated QID detects file versions of Microsoft Lync and Skype for Business (lync.exe) lesser than 16.0.4717.1000 (KB4022221) and 15.0.5049.1000 (KB4022225) - Consequence
-
Successful exploitation of the vulnerability will lead to:
1) Remote Code Execution
2) Security Feature Bypass
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
-
Microsoft Windows Security Update July 2018
- Severity
- Critical 4
- Qualys ID
- 91456
- Vendor Reference
- KB4291391, KB4293756, KB4295656, KB4338814, KB4338815, KB4338818, KB4338819, KB4338820, KB4338823, KB4338824, KB4338825, KB4338826, KB4338829, KB4338830, KB4339291, KB4339503, KB4339854, KB4340583
- CVE Reference
- CVE-2018-8206, CVE-2018-8222, CVE-2018-8282, CVE-2018-8304, CVE-2018-8307, CVE-2018-8308, CVE-2018-8309, CVE-2018-8313, CVE-2018-8314
- CVSS Scores
- Base 8.5 / Temporal 6.3
- Description
-
A denial of service vulnerability exists when Windows improperly handles File Transfer Protocol (FTP) connections.(CVE-2018-8206)
A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. (CVE-2018-8222)
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. (CVE-2018-8282)
A denial of service vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. (CVE-2018-8304)
A security feature bypass vulnerability exists when Microsoft WordPad improperly handles embedded OLE objects. (CVE-2018-8307)
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. (CVE-2018-8308)
A denial of service vulnerability exists when Windows improperly handles objects in memory. (CVE-2018-8309)
An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions. (CVE-2018-8313)
An elevation of privilege vulnerability exists when Windows fails a check, allowing a sandbox escape. (CVE-2018-8314)
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
This QID checks for following file versions %windir%\System32\Win32k.sys for all affected OS except Windows 10 and Windows 16:
The patch version of 6.0.6002.24417 (KB4339854)
The patch version of 6.1.7601.24187 (KB4338818 or KB4338823)
The patch version of 6.2.9200.22486 (KB4338820 or KB4338830)
The patch version of 6.3.9600.19064 (KB4338815 or KB4338824)
This QID checks for following file versions %windir%\System32\Win32kfull.sys for Windows 10 and Windows 16:
The patch version of 10.0.10240.17914 (KB4338829)
The patch version of 10.0.14393.2363 (KB4338814)
The patch version of 10.0.15063.1206 (KB4338826)
The patch version of 10.0.16299.547 (KB4338825)
The patch version of 10.0.17134.165 (KB4338819)
This QID checks for following files and its versions for Windows 2008 SP2:
The patch version of %windir%\System32\Advapi32.dll 6.0.6002.24412 (KB4339291)
The patch version of %windir%\System32\Dnsapi.dll 6.0.6002.24412 (KB4291391)
The patch version of %windir%\system32\Mpsdrv.sys 6.0.6002.24411 (KB4293756)
The patch version of %windir%\System32\drivers\tcpip.sys 6.0.6002.24408 (KB4295656)
The patch version of %windir%\system32\Csrsrv.dll 6.0.6002.24421 (KB4340583)
The patch version of %windir%\system32\Shell32.dll 6.0.6002.24414 (KB4339503)
- Consequence
- Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4291391
KB4293756
KB4295656
KB4338814
KB4338815
KB4338818
KB4338819
KB4338820
KB4338823
KB4338824
KB4338825
KB4338826
KB4338829
KB4338830
KB4339291
KB4339503
KB4339854
KB4340583
-
Microsoft .NET Framework Security Update July 2018
- Severity
- Critical 4
- Qualys ID
- 91457
- Vendor Reference
- .Net Core July 2018, KB4338415, KB4338416, KB4338417, KB4338418, KB4338419, KB4338420, KB4338421, KB4338422, KB4338423, KB4338424, KB4338600, KB4338601, KB4338602, KB4338604, KB4338605, KB4338606, KB4338610, KB4338611, KB4338612, KB4338613, KB4338814, KB4338819, KB4338825, KB4338826, KB4338829
- CVE Reference
- CVE-2018-8202, CVE-2018-8260, CVE-2018-8284, CVE-2018-8356
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level. (CVE-2018-8202)
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. (CVE-2018-8260)
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. (CVE-2018-8284)
A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates. (CVE-2018-8356)
KB4338415,KB4338416,KB4338417,KB4338418,KB4338419,KB4338420,KB4338421,KB4338422,KB4338423,KB4338424,KB4338600,KB4338601,KB4338602,KB4338604,KB4338605,KB4338606,KB4338610,KB4338611,KB4338612,KB4338613,KB4338814,KB4338819,KB4338825,KB4338826,KB4338829 are covered in this QID
This security update is rated Important for supported versions of Microsoft .NET Framework.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of mscorlib.dll - Consequence
- Successful exploitation allows an attacker to execute arbitrary code.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
.NET Framework July 2018
-
Microsoft Visual Studio Security Update for July 2018
- Severity
- Critical 4
- Qualys ID
- 91458
- Vendor Reference
- CVE-2018-8172
- CVE Reference
- CVE-2018-8172
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
-
Microsoft Visual Studio is affected by a Remote Code Execution Vulnerability that attackers can exploit by forcing a user to open a specially crafted file.(CVE-2018-8172)
An attacker can add code to an application, which modifies data in an unintended manner. (CVE-2018-8232)
Affected Software:
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2012 Update 5
Microsoft Visual Studio 2013 Update 5
Microsoft Visual Studio 2015 Update 3
QID Detection Logic:
This authenticated QID verifies the file versions of Microsoft.VisualStudio.XamlUI.dll for Visual Studio 2010 SP1 and devenv.exe for later versions from the following registry entries:
- Consequence
-
Successful exploitation of the vulnerabilities will lead to Remote Code Execution. The vulnerabilities can also allow an attacker to add code to an application, which modifies data in an unintended manner.
- Solution
-
For more information, Customers are advised to refer the Security Update Guide.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
-
Microsoft Edge Security Update for July 2018
- Severity
- Urgent 5
- Qualys ID
- 91460
- Vendor Reference
- KB4338814, KB4338819, KB4338825, KB4338826, KB4338829
- CVE Reference
- CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8276, CVE-2018-8278, CVE-2018-8279, CVE-2018-8280, CVE-2018-8286, CVE-2018-8287, CVE-2018-8288, CVE-2018-8289, CVE-2018-8290, CVE-2018-8291, CVE-2018-8294, CVE-2018-8297, CVE-2018-8301, CVE-2018-8324, CVE-2018-8325
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser.
Microsoft Edge is vulnerable to multiple issues.
KB Articles associated with the update:
1) KB4338814
2) KB4338829
3) KB4338826
4) KB4338825
5) KB4338819QID Detection Logic (Authenticated):
Operating Systems: Windows 10 (1507, 1607, 1703, 1709 and 1803) and Windows Server 2016
This QID reviews the file version of %windir%\System32\edgehtml.dll
The patch version is 11.0.10240.17914 (KB4338829)
The patch version is 11.0.14393.2363 (KB4338814)
The patch version is 11.0.15063.1206 (KB4338826)
The patch version is 11.0.16299.547 (KB4338825)
The patch version is 11.0.17134.165 (KB4338819)
- Consequence
-
Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.
- Solution
-
Customers are advised to refer to Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows(Edge)
These new vulnerability checks are included in Qualys vulnerability signature 2.4.370-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100339
- 100340
- 110320
- 110321
- 91456
- 91457
- 91458
- 91460
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.