Cloud Platform
Solutions
Subscriptions
Cloud platform apps
Customers
Partners
Community
Support
Company
Login

Microsoft security alert.

September 11, 2018

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 60 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for September 2018

    Severity
    Critical 4
    Qualys ID
    100343
    Vendor Reference
    Security Update Guide
    CVE Reference
    CVE-2018-8315, CVE-2018-8447, CVE-2018-8452, CVE-2018-8457, CVE-2018-8461, CVE-2018-8470
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016.
    This QID checks for the file version of %windir%\System32\mshtml.dll
    The following versions of mshtml.dll with their corresponding KBs are verified:
    1. KB4457144 - 11.0.9600.19130
    2. KB4457426 - 11.0.9600.19130
    3. KB4457129 - 11.0.9600.19061
    4. KB4457131 - 11.0.14393.2485
    5. KB4457132 - 11.0.10240.17976
    6. KB4457138 - 11.0.15063.1324
    7. KB4457142 - 11.0.16299.665
    8. KB4457128 - 11.0.17134.285
    9. KB4457135 - 10.0.9200.22500
    10. KB4458010 - 9.0.8112.21261

    Consequence
    Depending on the vulnerability being exploited, an attacker could execute arbitrary code with elevated privileges, access sensitive information or cause a denial of service condition on the targeted system.
    Solution
    For more information, Customers are advised to refer the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Windows Adobe Flash Player Security Update for September 2018 (ADV180023)

    Severity
    Urgent 5
    Qualys ID
    100344
    Vendor Reference
    ADV180023
    CVE Reference
    CVE-2018-15967
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    This security update resolves vulnerabilities in Adobe Flash Player that is installed on any supported edition of Windows Server version 1803, Windows 10 Version 1803, Windows Server 2016 Version 1709, Windows 10 Version 1709, Windows 10 Version 1703, Windows Server 2016, Windows 10 Version 1607, Windows 10 RTM, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, and Windows Server 2012.

    QID Detection Logic:
    This authenticated QID checks for the file version of %windir%\System32\Macromed\Flash\Flash.ocx for file versions lesser than 31.0.0.108.

    The KB Article associated with this update is: KB4457146

    Consequence
    Successful exploitation allows remote code execution.
    Solution
    Customers are advised to follow KB4457146 for instructions pertaining to the remediation of these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV180023

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update September 2018

    Severity
    Critical 4
    Qualys ID
    110323
    Vendor Reference
    KB4022207, KB4032246, KB4092447, KB4092459, KB4092460, KB4092466, KB4092467, KB4092470, KB4092479, KB4227175
    CVE Reference
    CVE-2018-8331, CVE-2018-8332, CVE-2018-8426, CVE-2018-8428, CVE-2018-8429, CVE-2018-8430, CVE-2018-8431, CVE-2018-8474
    CVSS Scores
    Base 7.5 / Temporal 5
    Description
    Microsoft releases security updates on September 2018 to fix multiple security vulnerabilities.

    This security updates contain following KBs:
    KB4022207 KB4032246 KB4092447 KB4092459 KB4092460 KB4092466 KB4092467 KB4092470 KB4092479 KB4227175

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update September 2018

  • Microsoft Windows FragmentSmack Denial of Service Vulnerability (ADV180022)

    Severity
    Serious 3
    Qualys ID
    91470
    Vendor Reference
    ADV180022
    CVE Reference
    CVE-2018-5391
    CVSS Scores
    Base 7.1 / Temporal 5.6
    Description
    Microsoft Windows in affected by a denial of service vulnerability named "FragmentSmack".

    An attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassembling IP fragments.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10(Builds 1507, 1607, 1703, 1709 and 1803), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for following file versions %windir%\System32\drivers\tcpip.sys:
    The patch version of 6.0.6002.24464 (KB4457984 or KB4458010)
    The patch version of 6.1.7601.24233 (KB4457145 or KB4457144)
    The patch version of 6.2.9200.22552 (KB4457135 or KB4457140)

    The patch version of 6.3.9600.19125 (KB4457143 or KB4457129)
    The patch version of 10.0.10240.17976 (KB4457132)
    The patch version of 10.0.14393.2485 (KB4457131)
    The patch version of 10.0.15063.1324 (KB4457138)
    The patch version of 10.0.16299.665 (KB4457142)

    The patch version of 10.0.17134.285 (KB4457128)

    Consequence
    A system under attack would become unresponsive with 100% CPU utilization but would recover as soon as the attack terminated.
    Solution
    Customers are advised to refer to advisory ADV180022 for more details pertaining to this vulnerability.

    Workaround:
    The following commands disable packet reassembly:

    Netsh int ipv4 set global reassemblylimit=0
    Netsh int ipv6 set global reassemblylimit=0
    After setting these commands, any out of order packets are dropped.

    Note: There is a potential for packet loss when discarding out-of-order packets.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    ADV180022

  • Microsoft Edge Security Update for September 2018

    Severity
    Urgent 5
    Qualys ID
    91471
    Vendor Reference
    KB4457128, KB4457131, KB4457132, KB4457138, KB4457142
    CVE Reference
    CVE-2018-8315, CVE-2018-8354, CVE-2018-8366, CVE-2018-8367, CVE-2018-8425, CVE-2018-8452, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459, CVE-2018-8463, CVE-2018-8464, CVE-2018-8465, CVE-2018-8466, CVE-2018-8467, CVE-2018-8469
    CVSS Scores
    Base 10 / Temporal 7.4
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser.

    Microsoft Edge is vulnerable to multiple issues.

    KB Articles associated with the update:
    1) KB4457131
    2) KB4457132
    3) KB4457138
    4) KB4457142
    5) KB4457128

    QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.17976 (KB4457132)
    The patch version is 11.0.14393.2485 (KB4457131)
    The patch version is 11.0.15063.1324 (KB4457138)
    The patch version is 11.0.16299.665 (KB4457142)
    The patch version is 11.0.17134.285 (KB4457128)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Customers are advised to refer to Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft .NET Framework Security Update September 2018

    Severity
    Urgent 5
    Qualys ID
    91472
    Vendor Reference
    KB4457025, KB4457026, KB4457027, KB4457028, KB4457029, KB4457030, KB4457033, KB4457034, KB4457035, KB4457036, KB4457037, KB4457038, KB4457042, KB4457043, KB4457044, KB4457045, KB4457053, KB4457054, KB4457055, KB4457056, KB4457128, KB4457131, KB4457132, KB4457138, KB4457142
    CVE Reference
    CVE-2018-8421
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system.

    KB4457025, KB4457026, KB4457027, KB4457028, KB4457029, KB4457030, KB4457033, KB4457034, KB4457035, KB4457036, KB4457037, KB4457038, KB4457042, KB4457043, KB4457044, KB4457045, KB4457053, KB4457054, KB4457055, KB4457056, KB4457128, KB4457131, KB4457132, KB4457138, KB4457142 are covered in this QID. This security update is rated Critical for supported versions of Microsoft .NET Framework.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of mscorlib.dll

    Consequence
    An attacker can install programs, view, change, or delete data or create new accounts with full user rights.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    .NET Framework September 2018

  • Microsoft ASP.NET System.IO.Pipelines Denial of Service Vulnerability (September 2018)

    Severity
    Critical 4
    Qualys ID
    91473
    Vendor Reference
    CVE-2018-8409
    CVE Reference
    CVE-2018-8409
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft ASP.NET Core is a free and open-source web framework developed by Microsoft and the community.

    A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests. The update addresses the vulnerability by correcting how System.IO.Pipelines handles requests.

    Affected Versions:
    ASP.NET Core versions 2.1.0 through 2.1.3

    QID Detection Logic (Authenticated):
    Microsoft Windows: This authenticated QID checks the Microsoft.AspNetCore.All, Microsoft.AspNetCore.App and Microsoft.NETCore.App version via the .version file located in the shared directory.

    Consequence
    An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application by providing a specially crafted web requests.
    Solution
    Customers are advised to follow the Microsoft Security Update Guide CVE-2018-8409 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2018-8409

  • Microsoft Windows Security Update September 2018

    Severity
    Critical 4
    Qualys ID
    371164
    Vendor Reference
    KB4457128, KB4457129, KB4457131, KB4457132, KB4457135, KB4457138, KB4457140, KB4457142, KB4457143, KB4457144, KB4457145, KB4457984, KB4458010
    CVE Reference
    CVE-2018-0965, CVE-2018-8271, CVE-2018-8332, CVE-2018-8335, CVE-2018-8336, CVE-2018-8337, CVE-2018-8392, CVE-2018-8393, CVE-2018-8410, CVE-2018-8419, CVE-2018-8420, CVE-2018-8424, CVE-2018-8433, CVE-2018-8434, CVE-2018-8435, CVE-2018-8436, CVE-2018-8437, CVE-2018-8438, CVE-2018-8439, CVE-2018-8440, CVE-2018-8441, CVE-2018-8442, CVE-2018-8443, CVE-2018-8444, CVE-2018-8445, CVE-2018-8446, CVE-2018-8449, CVE-2018-8455, CVE-2018-8462, CVE-2018-8468, CVE-2018-8475
    CVSS Scores
    Base 6.8 / Temporal 5.3
    Description
    Remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.(CVE-2018-0965)

    Information disclosure vulnerability exists in Windows when the Windows bowser.sys kernel-mode driver fails to properly handle objects in memory. (CVE-2018-8271)

    Remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts.(CVE-2018-8332)

    Denial of service vulnerability exists in the Microsoft SMB when an attacker sends specially crafted requests to the server. (CVE-2018-8335)

    Information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2018-8336)

    Security feature bypass vulnerability exists when Windows Subsystem for Linux improperly handles case sensitivity.(CVE-2018-8337)

    Buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. (CVE-2018-8392,CVE-2018-8393)

    Elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory.(CVE-2018-8410)

    Information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address.(CVE-2018-8419)

    Remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input.(CVE-2018-8420)

    Information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory.(CVE-2018-8424)

    Information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory.(CVE-2018-8433)

    Information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-8434)

    Security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source.(CVE-2018-8435)

    Denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2018-8436)

    Denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system.(CVE-2018-8437,CVE-2018-8438)

    Remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-8439)

    Elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).(CVE-2018-8440)

    Elevation of privilege vulnerability exists due to an integer overflow in Windows Subsystem for Linux.(CVE-2018-8441)

    Information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2018-8442, CVE-2018-8443, CVE-2018-8445,CVE-2018-8446)

    Information disclosure vulnerability exists in the way that the Microsoft SMBv2 server handles certain requests.(CVE-2018-8444)

    Security feature bypass exists when Device Guard incorrectly validates an untrusted file.(CVE-2018-8449)

    Elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.(CVE-2018-8455)

    Elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.(CVE-2018-8462)

    Elevation of privilege vulnerability exists when Windows, allowing a sandbox escape.(CVE-2018-8468)

    Remote code execution vulnerability exists when Windows does not properly handle specially crafted image files.(CVE-2018-8475)

    Note:Advanced Local Procedure Call (ALPC) Zero day in Windows task scheduler has been fixed in the September Updates and has been assigned CVE-2018-8440.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4457128 Windows 10
    KB4457129 Windows 8.1, Windows Server 2012 R2
    KB4457131 Windows 10, Windows Server 2016
    KB4457132 Windows 10
    KB4457135 Windows Server 2012
    KB4457138 Windows 10
    KB4457140 Windows Server 2012
    KB4457142 Windows 10
    KB4457143 Windows 8.1, Windows Server 2012 R2
    KB4457144 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
    KB4457145 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
    KB4457984 Windows Server 2008 Service Pack 2
    KB4458010 Windows Server 2008 Service Pack 2

These new vulnerability checks are included in Qualys vulnerability signature 2.4.417-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100343
    • 100344
    • 110323
    • 91470
    • 91471
    • 91472
    • 91473
    • 371164
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.