Cloud Platform
Solutions
Subscriptions
Cloud platform apps
Customers
Partners
Community
Support
Company
Login

Microsoft security alert.

August 14, 2018

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 66 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for August 2018

    Severity
    Critical 4
    Qualys ID
    100341
    Vendor Reference
    KB4343205, KB4343885, KB4343887, KB4343892, KB4343897, KB4343898, KB4343899, KB4343900, KB4343901, KB4343909
    CVE Reference
    CVE-2018-8316, CVE-2018-8351, CVE-2018-8353, CVE-2018-8355, CVE-2018-8357, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8403
    CVSS Scores
    Base 6.8 / Temporal 5.3
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Important for Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    KB Articles associated with the Update:
    1) 4343900
    2) 4343899
    3) 4343898
    4) 4343205
    5) 4343887
    6) 4343892
    7) 4343885
    8) 4343897
    9) 4343909
    10)4343901

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for the file version of %windir%\System32\mshtml.dll
    The following KBs are checked:
    The patch version is 11.0.9600.19101 (KB4343900 or KB4343898 or KB4343205)
    The patch version is 11.0.10240.17946 (KB4343892)
    The patch version is 11.0.14393.2430 (KB4343887)
    The patch version is 11.0.15063.1266 (KB4343885)
    The patch version is 11.0.16299.611 (KB4343897)
    The patch version is 11.0.17134.228 (KB4343909)
    The patch version is 10.0.9200.22522 (KB4343901 or KB4343205)
    The patch version is 9.0.8112.21252 (KB4343205)

    On Windows Server 2008 R2, Windows 7 the QID also checks the file version of %windir%\System32\hlink.dll if Internet Explorer 11 is present.
    This is to verify fix for CVE-2018-8316.
    The patch version is 6.1.7601.24228 (KB4343899).

    Consequence
    Successful exploitation of the vulnerability will lead to:

    1) Remote Code Execution
    2) Information Disclosure
    3) Elevation of Privilege

    Solution
    For more information, Customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Adobe Flash Player Security Update for August 2018 (ADV180020)

    Severity
    Urgent 5
    Qualys ID
    100342
    Vendor Reference
    ADV180020
    CVE Reference
    CVE-2018-12824, CVE-2018-12825, CVE-2018-12826, CVE-2018-12827, CVE-2018-12828
    CVSS Scores
    Base 10 / Temporal 7.8
    Description
    This security update resolves vulnerabilities in Adobe Flash Player that is installed on any supported edition of Windows Server version 1803, Windows 10 Version 1803, Windows Server 2016 Version 1709, Windows 10 Version 1709, Windows RT, Windows 10 Version 1703, Windows Server 2016, Windows 10 Version 1607, Windows 10 RTM, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, and Windows Server 2012.

    QID Detection Logic:
    This authenticated QID checks for the file version of %windir%\System32\Macromed\Flash\Flash.ocx for file versions lesser than 30.0.0.154.

    The KB Article associated with this update is: KB44343902

    Consequence
    Successful exploitation allows attacker to compromise the system.

    Solution
    Customers are advised to follow KB4343902 for instructions pertaining to the remediation of these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV180020

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2018

    Severity
    Critical 4
    Qualys ID
    110322
    Vendor Reference
    KB3213636, KB4018310, KB4018392, KB4022195, KB4022198, KB4022234, KB4022236, KB4022238, KB4032212, KB4032213, KB4032215, KB4032220, KB4032222, KB4032223, KB4032229, KB4032233, KB4032235, KB4032239, KB4032240, KB4032241, KB4032256, KB4092433, KB4092434
    CVE Reference
    CVE-2018-8375, CVE-2018-8376, CVE-2018-8378, CVE-2018-8379, CVE-2018-8382, CVE-2018-8412
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    Microsoft releases security updates on August 2018 to fix multiple security vulnerabilities:

    This security updates contain following KBs:
    KB3213636 KB4018310 KB4018392 KB4022195 KB4022198 KB4022234 KB4022236 KB4022238 KB4032212 KB4032213 KB4032215 KB4032220 KB4032222 KB4032223 KB4032229 KB4032233 KB4032235 KB4032239 KB4032240 KB4032241 KB4032256 KB4092433 KB4092434

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2018

  • Microsoft Security Update for SQL Server for August 2018

    Severity
    Critical 4
    Qualys ID
    22001
    Vendor Reference
    CVE-2018-8273
    CVE Reference
    CVE-2018-8273
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account. QID Detection Logic:
    This authenticated QID checks for vulnerable MSSQL versions lesser than "2015.130.4224.16" or "2015.130.4522.0" or "2015.131.5081.1", "2015.131.5201.2", "2017.140.2002.14" or "2017.140.3035.2".
    Knowledge base articles: KB4293808, KB4458842, KB4293803, KB4293805, KB4293802, KB4458621.

    Note: Security Update KB4458621 has replaced KB4293807 and Security Update KB4458842 has replaced KB4293801. Refer to Revisions Section of CVE-2018-8273 for more information.

    Consequence
    Successful exploitation allows an attacker to execute code.
    Solution
    Customers are advised to refer to CVE-2018-8273 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4293801 Microsoft SQL Server 2016 for x64-based Systems Service Pack 1
    KB4293802 Microsoft SQL Server 2016 for x64-based Systems Service Pack 2
    KB4293803 Microsoft SQL Server 2017 for x64-based Systems
    KB4293805 Microsoft SQL Server 2017 for x64-based Systems (CU)
    KB4293807 Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
    KB4293808 Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU)

  • Microsoft Exchange Server Security Update for August 2018

    Severity
    Critical 4
    Qualys ID
    53016
    Vendor Reference
    Exchange Server 2010, Exchange Server 2016,2013
    CVE Reference
    CVE-2018-8302, CVE-2018-8374
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft Exchange Server 2013 and 2016 contain the following vulnerabilities:
    CVE-2018-8302: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.
    CVE-2018-8374: A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data.

    Affected Versions:
    Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 23
    Microsoft Exchange Server 2013 Cumulative Update 20, 21
    Microsoft Exchange Server 2016 Cumulative Update 9, 10

    KB Articles: 4340733, 4340731

    QID Detection Logic:
    This authenticated QID detects if Exsetup.exe file versions is lesser than 15.1.1531.6, 15.1.1466.10, 15.0.1395.7, 14.3.417.1.

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could modify a targeted users profile data or execute arbitrary code in the context of the System user.
    Solution
    Customers are advised to refer to KB4340731 and KB4340733 for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4340731
    KB4340733

  • Microsoft Edge Security Update for August 2018

    Severity
    Urgent 5
    Qualys ID
    91464
    Vendor Reference
    KB4343885, KB4343887, KB4343892, KB4343897, KB4343909
    CVE Reference
    CVE-2018-8266, CVE-2018-8351, CVE-2018-8355, CVE-2018-8357, CVE-2018-8358, CVE-2018-8370, CVE-2018-8372, CVE-2018-8377, CVE-2018-8380, CVE-2018-8381, CVE-2018-8383, CVE-2018-8385, CVE-2018-8387, CVE-2018-8388, CVE-2018-8390, CVE-2018-8403
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser.

    Microsoft Edge is vulnerable to multiple issues.

    KB Articles associated with the update:
    1) KB4343887
    2) KB4343892
    3) KB4343885
    4) KB4343897
    5) KB4343909

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 10 (1507, 1607, 1703, 1709 and 1803) and Windows Server 2016
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.17946 (KB4343892)
    The patch version is 11.0.14393.2430 (KB4343887)
    The patch version is 11.0.15063.1266 (KB4343885)
    The patch version is 11.0.16299.611 (KB4343897)
    The patch version is 11.0.17134.228 (KB4343909)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Customers are advised to refer to Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft Windows Security Update August 2018

    Severity
    Critical 4
    Qualys ID
    91465
    Vendor Reference
    4341832, KB4338380, KB4340937, KB4340939, KB4343674, KB4343885, KB4343887, KB4343888, KB4343892, KB4343896, KB4343897, KB4343898, KB4343899, KB4343900, KB4343901, KB4343909, KB4344104
    CVE Reference
    CVE-2018-0952, CVE-2018-8200, CVE-2018-8204, CVE-2018-8253, CVE-2018-8339, CVE-2018-8340, CVE-2018-8341, CVE-2018-8342, CVE-2018-8343, CVE-2018-8344, CVE-2018-8345, CVE-2018-8346, CVE-2018-8347, CVE-2018-8348, CVE-2018-8349, CVE-2018-8350, CVE-2018-8394, CVE-2018-8396, CVE-2018-8397, CVE-2018-8398, CVE-2018-8399, CVE-2018-8400, CVE-2018-8401, CVE-2018-8404, CVE-2018-8405, CVE-2018-8406, CVE-2018-8414
    CVSS Scores
    Base 6.8 / Temporal 5.3
    Description
    An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. (CVE-2018-8398)
    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.(CVE-2018-8399)
    An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.(CVE-2018-8400, CVE-2018-8401 and CVE-2018-8405)
    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.(CVE-2018-8404)
    An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations.(CVE-2018-0952)
    A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session.(CVE-2018-8200)
    A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session.(CVE-2018-8204)
    An elevation of privilege vulnerability exists when Microsoft Cortana allows arbitrary website browsing on the lockscreen.(CVE-2018-8253)
    An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior.(CVE-2018-8339)
    A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests.(CVE-2018-8340)
    An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it.(CVE-2018-8342 and CVE-2018-8343)
    A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts.(CVE-2018-8344)
    A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.(CVE-2018-8345 and CVE-2018-8346)
    An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links.(CVE-2018-8347)
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory.(CVE-2018-8348)
    A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects.(CVE-2018-8349)
    A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. (CVE-2018-8350)
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2018-8341)
    An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory.(CVE-2018-8394 and CVE-2018-8396)
    A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface handles objects in the memory.(CVE-2018-8397)
    An elevation of privilege vulnerability exists when the DirectX Graphics Kernel driver improperly handles objects in memory.(CVE-2018-8406)
    A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths.(CVE-2018-8414)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    4338380
    4340937
    4340939
    4341832
    4343674
    4343885
    4343887
    4343888
    4343892
    4343896
    4343897
    4343898
    4343899
    4343900
    4343901
    4343909
    4344104

  • Microsoft Visual Studio Security Update for August 2018

    Severity
    Critical 4
    Qualys ID
    91466
    Vendor Reference
    CVE-2018-0952
    CVE Reference
    CVE-2018-0952
    CVSS Scores
    Base 6.8 / Temporal 5.3
    Description
    An elevation of privilege vulnerability exists in a visual studio service, which can lead to system privileges by a non-admin user when writing files. An attacker who took advantage of this could write files as system while only having user level access. This security update addresses this issue by impersonating the current user to validate access to the file location.

    Affected Software:
    Microsoft Visual Studio 2015 Update 3
    Microsoft Visual Studio 2017
    Microsoft Visual Studio 2017 Version 15.8

    QID Detection Logic:
    This QID detects vulnerable versions of Microsoft Visual Studio 2017 Version 15.8 by checking if the System.VisualStudio.15.0.dll file version is lesser than 14.13.26706.0.

    Consequence
    Successful exploitation of this vulnerability allows an attacker to write files as system while only having user level access.
    Solution
    Customers are advised to refer to CVE-2018-0952 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2018-0952

  • Microsoft .NET Framework Security Update August 2018

    Severity
    Critical 4
    Qualys ID
    91467
    Vendor Reference
    4344151, KB4343885, KB4343887, KB4343892, KB4343897, KB4343909, KB4344144, KB4344145, KB4344146, KB4344147, KB4344148, KB4344149, KB4344150, KB4344152, KB4344153, KB4344165, KB4344166, KB4344167, KB4344171, KB4344172, KB4344173, KB4344175, KB4344176, KB4344177, KB4344178
    CVE Reference
    CVE-2018-8360
    CVSS Scores
    Base 5.8 / Temporal 4.3
    Description
    An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream.

    KB4343885,KB4343887,KB4343892,KB4343897,KB4343909,KB4344144,KB4344145,KB4344146,KB4344147,KB4344148,KB4344149,KB4344150,KB4344151,KB4344152,KB4344153,KB4344165,KB4344166,KB4344167,KB4344171,KB4344172,KB4344173,KB4344175,KB4344176,KB4344177,KB4344178 are covered in this QID

    This security update is rated Important for supported versions of Microsoft .NET Framework.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of mscorlib.dll

    Consequence
    Successful exploitation allows an attacker to access data from one customer to another.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    .NET Framework August 2018

  • Microsoft Windows update for L1 Terminal Fault (L1TF) vulnerabilities (ADV180018)

    Severity
    Critical 4
    Qualys ID
    91468
    Vendor Reference
    ADV180018
    CVE Reference
    CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
    CVSS Scores
    Base 4.7 / Temporal 3.7
    Description
    On January 3 2018, Microsoft released an advisory and security updates related to hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels.

    On August 14 2018, a new subclass of speculative execution side channel vulnerabilities known as L1 Terminal Fault (L1TF) has been announced and assigned CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646.

    The vulnerabilities affect Intel Core processors and Intel Xeon processors.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID will check if the running processor is a Intel Processor by looking up the registry key "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor{DESCRIPTION}" value "VendorIdentifier".
    This QID checks for following file versions %windir%\System32\Win32k.sys for all affected OS except Windows 2008 SP2, Windows 10 and Windows 2016:
    The patch version of 6.1.7601.24204 (KB4343900 or KB4343899)
    The patch version of 6.2.9200.22515 (KB4343901 or KB4343896)
    The patch version of 6.3.9600.19095 (KB4343898 or KB4343888)

    This QID checks for following file versions %windir%\System32\Win32kfull.sys for Windows 10 and Windows 16:
    The patch version of 10.0.10240.17946 (KB4343892)
    The patch version of 10.0.14393.2430 (KB4343887)
    The patch version of 10.0.15063.1266 (KB4343885)
    The patch version of 10.0.16299.611 (KB4343897)
    The patch version of 10.0.17134.228 (KB4343909)

    This QID checks for following files and its versions for Windows 2008 SP2:
    The patch version of %windir%\System32\Advapi32.dll 6.0.6002.24444 (KB4341832)

    Consequence
    An attacker who has successfully exploited L1TF may be able to read privileged data across trust boundaries. In shared resource environments (such that exist in some cloud services configurations), this vulnerability could allow one virtual machine to improperly access information from another. An attacker would need prior access to the system or the ability to run code on the system to leverage this vulnerability.

    Solution
    Customers are advised to refer to ADV180018 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV180018

These new vulnerability checks are included in Qualys vulnerability signature 2.4.395-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100341
    • 100342
    • 110322
    • 22001
    • 53016
    • 91464
    • 91465
    • 91466
    • 91467
    • 91468
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.