Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 66 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The security updated is rated Moderate for for Internet Explorer 9 (IE 9) and Internet Explorer 10 (IE 10) and Important for Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.
KB Articles associated with the Update:
1) 4343900
2) 4343899
3) 4343898
4) 4343205
5) 4343887
6) 4343892
7) 4343885
8) 4343897
9) 4343909
10)4343901
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
This QID checks for the file version of %windir%\System32\mshtml.dll
The following KBs are checked:
The patch version is 11.0.9600.19101 (KB4343900 or KB4343898 or KB4343205)
The patch version is 11.0.10240.17946 (KB4343892)
The patch version is 11.0.14393.2430 (KB4343887)
The patch version is 11.0.15063.1266 (KB4343885)
The patch version is 11.0.16299.611 (KB4343897)
The patch version is 11.0.17134.228 (KB4343909)
The patch version is 10.0.9200.22522 (KB4343901 or KB4343205)
The patch version is 9.0.8112.21252 (KB4343205)
On Windows Server 2008 R2, Windows 7 the QID also checks the file version of %windir%\System32\hlink.dll if Internet Explorer 11 is present.
This is to verify fix for CVE-2018-8316.
The patch version is 6.1.7601.24228 (KB4343899).
1) Remote Code Execution
2) Information Disclosure
3) Elevation of Privilege
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
QID Detection Logic:
This authenticated QID checks for the file version of %windir%\System32\Macromed\Flash\Flash.ocx for file versions lesser than 30.0.0.154.
The KB Article associated with this update is: KB44343902
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV180020
This security updates contain following KBs:
KB3213636
KB4018310
KB4018392
KB4022195
KB4022198
KB4022234
KB4022236
KB4022238
KB4032212
KB4032213
KB4032215
KB4032220
KB4032222
KB4032223
KB4032229
KB4032233
KB4032235
KB4032239
KB4032240
KB4032241
KB4032256
KB4092433
KB4092434
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2018
Note: Security Update KB4458621 has replaced KB4293807 and Security Update KB4458842 has replaced KB4293801. Refer to Revisions Section of CVE-2018-8273 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4293801 Microsoft SQL Server 2016 for x64-based Systems Service Pack 1
KB4293802 Microsoft SQL Server 2016 for x64-based Systems Service Pack 2
KB4293803 Microsoft SQL Server 2017 for x64-based Systems
KB4293805 Microsoft SQL Server 2017 for x64-based Systems (CU)
KB4293807 Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
KB4293808 Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU)
Affected Versions:
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 23
Microsoft Exchange Server 2013 Cumulative Update 20, 21
Microsoft Exchange Server 2016 Cumulative Update 9, 10
KB Articles: 4340733, 4340731
QID Detection Logic:
This authenticated QID detects if Exsetup.exe file versions is lesser than 15.1.1531.6, 15.1.1466.10, 15.0.1395.7, 14.3.417.1.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4340731
KB4340733
Microsoft Edge is vulnerable to multiple issues.
KB Articles associated with the update:
1) KB4343887
2) KB4343892
3) KB4343885
4) KB4343897
5) KB4343909
QID Detection Logic (Authenticated):
Operating Systems: Windows 10 (1507, 1607, 1703, 1709 and 1803) and Windows Server 2016
This QID reviews the file version of %windir%\System32\edgehtml.dll
The patch version is 11.0.10240.17946 (KB4343892)
The patch version is 11.0.14393.2430 (KB4343887)
The patch version is 11.0.15063.1266 (KB4343885)
The patch version is 11.0.16299.611 (KB4343897)
The patch version is 11.0.17134.228 (KB4343909)
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows(Edge)
Elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.(CVE-2018-8399)
Elevation of privilege vulnerability exists in the DirectX Graphics Kernel(CVE-2018-8400, CVE-2018-8401 and CVE-2018-8405)
Elevation of privilege vulnerability exists in Windows when the Win32k .(CVE-2018-8404)
Elevation of Privilege vulnerability exists in Diagnostics Hub Standard Collector .(CVE-2018-0952)
Security feature bypass vulnerability exists in Device Guard t(CVE-2018-8200, CVE-2018-8204)
Elevation of privilege vulnerability exists when Microsoft Cortana allows arbitrary website Powsing on the lockscreen.(CVE-2018-8253)
Elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure liPary loading behavior.(CVE-2018-8339)
Security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests.(CVE-2018-8340)
Elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it.(CVE-2018-8342 and CVE-2018-8343)
Remote code execution (RCE) vulnerability exists when the Windows font liPary improperly handles specially crafted embedded fonts.(CVE-2018-8344)
A vulnerability exists in Microsoft Windows that could allow RCE if a .LNK file is processed.(CVE-2018-8345 and CVE-2018-8346)
Elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links.(CVE-2018-8347)
Information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory.(CVE-2018-8348)
RCE vulnerability exists in Microsoft COMwhen it fails to properly handle serialized objects.(CVE-2018-8349)
RCE vulnerability exists when Microsoft Windows PDF LiPary improperly handles objects in memory. (CVE-2018-8350)
Information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2018-8341)
Information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory.(CVE-2018-8394 and CVE-2018-8396)
RCE vulnerability exists in the way that the Windows Graphics Device Interface handles objects in the memory.(CVE-2018-8397)
Elevation of privilege vulnerability exists when the DirectX Graphics Kernel driver improperly handles objects in memory.(CVE-2018-8406)
RCE vulnerability exists when the Windows Shell does not properly validate file paths.(CVE-2018-8414)
QID Detection Logic (Authenticated):
Operating Systems: Windows
This QID checks for following file versions Win32k.sys for all affected OS except Windows 2008 SP2, Windows 10 and Windows 2016:
Version: 6.1.7601.24204 (KB4343900 or KB4343899)
Version: 6.2.9200.22515 (KB4343901 or KB4343896)
Version: 6.3.9600.19095 (KB4343898 or KB4343888)
This QID checks for following file versions Win32kfull.sys for Windows 10 and Windows 16:
Version: 10.0.10240.17946 (KB4343892)
Version: 10.0.14393.2430 (KB4343887)
Version: 10.0.15063.1266 (KB4343885)
Version: 10.0.16299.611 (KB4343897)
Version: 10.0.17134.228 (KB4343909)
This QID checks for following files and its versions for Windows 2008 SP2:
Version: Advapi32.dll 6.0.6002.24444 (KB4341832)
Version: Msimg32.dll 6.0.6002.24439 (KB4343674)
Version: Authui.dll 6.0.6002.24433 (KB4340937)
Version: Fontsub.dll 6.0.6002.24441 (KB4344104)
Version: Msshsq.dll 7.0.6002.24434 (KB4340939)
Version: Cscsvc.dll 6.0.6002.24436 (KB4338380)
Patches:
The following are links for downloading patches to fix these vulnerabilities:
4338380
4340937
4340939
4341832
4343674
4343885
4343887
4343888
4343892
4343896
4343897
4343898
4343899
4343900
4343901
4343909
4344104
Affected Software:
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 Version 15.8
QID Detection Logic:
This QID detects vulnerable versions of Microsoft Visual Studio 2017 Version 15.8.0 by checking if the devenv.exe file version is lesser than 15.0.28010.0.
This QID detects vulnerable versions of Microsoft Visual Studio 2015 Update 3 by checking if the DiagnosticsHub.StandardCollector.Runtime.dll file version is lesser than 14.0.27526.0.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2018-0952
KB4343885,KB4343887,KB4343892,KB4343897,KB4343909,KB4344144,KB4344145,KB4344146,KB4344147,KB4344148,KB4344149,KB4344150,KB4344151,KB4344152,KB4344153,KB4344165,KB4344166,KB4344167,KB4344171,KB4344172,KB4344173,KB4344175,KB4344176,KB4344177,KB4344178 are covered in this QID
This security update is rated Important for supported versions of Microsoft .NET Framework.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of mscorlib.dll
Patches:
The following are links for downloading patches to fix these vulnerabilities:
.NET Framework August 2018
On August 14 2018, a new subclass of speculative execution side channel vulnerabilities known as L1 Terminal Fault (L1TF) has been announced and assigned CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646.
The vulnerabilities affect Intel Core processors and Intel Xeon processors.
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
This QID will check if the running processor is a Intel Processor by looking up the registry key "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor{DESCRIPTION}" value "VendorIdentifier".
This QID checks for following file versions %windir%\System32\Win32k.sys for all affected OS except Windows 2008 SP2, Windows 10 and Windows 2016:
The patch version of 6.1.7601.24204 (KB4343900 or KB4343899)
The patch version of 6.2.9200.22515 (KB4343901 or KB4343896)
The patch version of 6.3.9600.19095 (KB4343898 or KB4343888)
This QID checks for following file versions %windir%\System32\Win32kfull.sys for Windows 10 and Windows 16:
The patch version of 10.0.10240.17946 (KB4343892)
The patch version of 10.0.14393.2430 (KB4343887)
The patch version of 10.0.15063.1266 (KB4343885)
The patch version of 10.0.16299.611 (KB4343897)
The patch version of 10.0.17134.228 (KB4343909)
This QID checks for following files and its versions for Windows 2008 SP2:
The patch version of %windir%\System32\Advapi32.dll 6.0.6002.24444 (KB4341832)
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV180018
These new vulnerability checks are included in Qualys vulnerability signature 2.4.395-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Platforms and Platform Identification
For more information, customers may contact Qualys Technical Support.
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.