Cloud Platform
Community
Support

Microsoft security alert.

October 9, 2018

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 47 vulnerabilities that were fixed in 6 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 6 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for October 2018

    Severity
    Critical 4
    Qualys ID
    100345
    Vendor Reference
    KB4462917, KB4462918, KB4462919, KB4462922, KB4462923, KB4462926, KB4462937, KB4462949, KB4464330
    CVE Reference
    CVE-2018-8460, CVE-2018-8491
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7, Windows 8 Embedded, Windows XP Embedded, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016.

    This QID checks for the file version of %windir%\System32\mshtml.dll

    The following versions of mshtml.dll with their corresponding KBs are verified:
    1. KB 4462923 - 11.0.9600.19155
    2. KB 4462949 - 10.0.9200.22572 , 11.2.9600.19155 , 8.0.6001.24117 , 9.1.8112.21272
    3. KB 4462926 - 11.0.9600.19155
    4. KB 4462917 - 11.0.14393.2551
    5. KB 4462922 - 11.0.10240.18005
    6. KB 4462937 - 11.0.15063.1387
    7. KB 4462918 - 11.0.16299.726
    8. KB 4462919 - 11.0.17134.345
    9. KB 4464330 - 11.0.17763.55

    Consequence
    Successful exploitation of the vulnerability will lead to arbitrary code execution within the context of the current user.

    Solution
    For more information, refer to the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2018

    Severity
    Critical 4
    Qualys ID
    110324
    Vendor Reference
    KB4022138, KB4092439, KB4092444, KB4092453, KB4092464, KB4092477, KB4092481, KB4092482, KB4092483, KB4227167, KB4227170, KB4461434, KB4461437, KB4461440, KB4461445, KB4461447, KB4461448, KB4461449, KB4461450, KB4461457, KB4461460, KB4461466
    CVE Reference
    CVE-2018-8427, CVE-2018-8432, CVE-2018-8480, CVE-2018-8488, CVE-2018-8498, CVE-2018-8501, CVE-2018-8502, CVE-2018-8504, CVE-2018-8518
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft released security updates in October 2018 to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB4022138
    KB4092439
    KB4092444
    KB4092453
    KB4092464
    KB4092477
    KB4092481
    KB4092482
    KB4092483
    KB4227167
    KB4227170
    KB4461434
    KB4461437
    KB4461440
    KB4461445
    KB4461447
    KB4461448
    KB4461449
    KB4461450
    KB4461457
    KB4461460
    KB4461466

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update October 2018

  • Microsoft Windows Exchange Server Update For October 2018

    Severity
    Critical 4
    Qualys ID
    53017
    Vendor Reference
    KB2565063, KB4459266
    CVE Reference
    CVE-2010-3190, CVE-2018-8265, CVE-2018-8448
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    The following vulnerabilities have been fixed in Microsoft Windows Exchange Server:

    CVE-2010-3190: A remote code execution vulnerability exists in the way that certain applications built using Microsoft Foundation Classes (MFC) handle the loading of DLL files. Exchange Server was not identified as an in-scope product when CVE-2010-3190 was originally published.

    CVE-2018-8265: A remote code execution vulnerability exists in the way Microsoft Exchange software parses specially crafted email messages.

    CVE-2018-8448: An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests.

    KB Articles associated with this update are: KB2565063, KB4459266

    Affected Versions:
    Microsoft Exchange Server 2010 Service Pack 3
    Microsoft Exchange Server 2013
    Microsoft Exchange Server 2013 Cumulative Update 21
    Microsoft Exchange Server 2016
    Microsoft Exchange Server 2016 Cumulative Update 9, 10

    QID Detection Logic:
    Following file versions are checked:
    Atl100.dll - MS Exchange 2010 SP3: 10.0.40219.325
    Exsetup.exe - MS Exchange 2013: 15.1.1531.7
    Exsetup.exe - MS Exchange 2013 CU21: 15.0.1395.8
    Exsetup.exe MS Exchange 2016 - CU10: 15.1.1531.7, 15.1.1466.12

    Consequence
    Successful exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code with elevated privileges.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB2565063
    KB4459266

  • Microsoft Edge Security Update for October 2018

    Severity
    Urgent 5
    Qualys ID
    91475
    Vendor Reference
    KB4462917, KB4462918, KB4462919, KB4462922, KB4462937, KB4464330
    CVE Reference
    CVE-2018-8473, CVE-2018-8503, CVE-2018-8505, CVE-2018-8509, CVE-2018-8510, CVE-2018-8511, CVE-2018-8512, CVE-2018-8513, CVE-2018-8530
    CVSS Scores
    Base 7.6 / Temporal 5.6
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.

    KB Articles associated with the update:
    KB4462917
    KB4462918
    KB4462919
    KB4462922
    KB4462937
    KB4464330

    QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.18005 (KB4462922)
    The patch version is 11.0.14393.2551 (KB4462917)
    The patch version is 11.0.15063.1387 (KB4462937)
    The patch version is 11.0.16299.726 (KB4462918)
    The patch version is 11.0.17134.345 (KB4462919)
    The patch version is 11.0.17763.55 (KB4464330)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Refer to Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft SQL Server Management Studio Information Disclosure Vulnerability Update for October 2018

    Severity
    Critical 4
    Qualys ID
    91476
    Vendor Reference
    SSMS 17.9
    CVE Reference
    CVE-2018-8527, CVE-2018-8532, CVE-2018-8533
    CVSS Scores
    Base 4.3 / Temporal 3.4
    Description
    SSMS is an integrated environment for managing any SQL infrastructure, from SQL Server to SQL Database. SSMS provides tools to configure, monitor, and administer instances of SQL.

    The following information disclosure vulnerabilities have been fixed:
    CVE-2018-8527: An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XEL file containing a reference to an external entity.
    CVE-2018-8532: An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing a malicious XMLA file containing a reference to an external entity.
    CVE-2018-8533: An information disclosure vulnerability exists in Microsoft SQL Server Management Studio (SSMS) when parsing malicious XML content containing a reference to an external entity.

    Affected Versions:
    SQL Server Management Studio versions prior to 17.9

    QID Detection Logic:
    This authenticated QID detects versions of the Microsoft SQL Server Management Studio.

    Consequence
    An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity declaration.

    Solution
    Customers are advised to upgrade to SQL Server Management Studio 17.9 or later versions to remediate these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    SQL Server Management Studio 17.9

  • Microsoft Windows Security Update October 2018

    Severity
    Serious 3
    Qualys ID
    91474
    Vendor Reference
    KB4462915, KB4462917, KB4462918, KB4462919, KB4462922, KB4462923, KB4462926, KB4462929, KB4462931, KB4462937, KB4462941, KB4463097, KB4463104, KB4464330
    CVE Reference
    CVE-2018-8320, CVE-2018-8329, CVE-2018-8330, CVE-2018-8333, CVE-2018-8411, CVE-2018-8413, CVE-2018-8423, CVE-2018-8427, CVE-2018-8432, CVE-2018-8453, CVE-2018-8472, CVE-2018-8481, CVE-2018-8482, CVE-2018-8484, CVE-2018-8486, CVE-2018-8489, CVE-2018-8490, CVE-2018-8492, CVE-2018-8493, CVE-2018-8494, CVE-2018-8495, CVE-2018-8497, CVE-2018-8506
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    A security feature bypass vulnerability exists in DNS Global Blocklist feature.(CVE-2018-8320)

    An Elevation of Privilege vulnerability exists in Windows Subsystem for Linux when it fails to properly handle objects in memory.(CVE-2018-8329)

    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory.(CVE-2018-8330)

    An Elevation of Privilege vulnerability exists in Filter Manager when it improperly handles objects in memory.(CVE-2018-8333)

    An elevation of privilege vulnerability exists when NTFS improperly checks access.(CVE-2018-8411)

    A remote code execution vulnerability exists when "Windows Theme API" does not properly decompress files.(CVE-2018-8413)

    A remote code execution vulnerability exists in the Microsoft JET Database Engine. (CVE-2018-8423)

    An information disclosure vulnerability exists in the way that Microsoft Graphics Components handle objects in memory.(CVE-2018-8427)

    A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory.(CVE-2018-8432)

    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.(CVE-2018-8453)

    An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory.(CVE-2018-8472)

    An information disclosure vulnerability exists when Windows Media Player improperly discloses file information.(CVE-2018-8481)

    An information disclosure vulnerability exists when Windows Media Player improperly discloses file information.(CVE-2018-8482)

    An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. (CVE-2018-8484)

    An information disclosure vulnerability exists when DirectX improperly handles objects in memory.(CVE-2018-8486)

    A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.(CVE-2018-8489, CVE-2018-8490)

    A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. (CVE-2018-8492)

    An information disclosure vulnerability exists when the Windows TCP/IP stack improperly handles fragmented IP packets.(CVE-2018-8493)

    A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input.(CVE-2018-8494)

    A remote code execution vulnerability exists when Windows Shell improperly handles URIs.(CVE-2018-8495)

    An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory.(CVE-2018-8497)

    An Information Disclosure vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.(CVE-2018-8506)

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
    This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
    The patch version of 6.0.6002.24491 (KB4463097 or KB4463104)
    The patch version of 6.1.7601.24260 (KB4462923 or KB4462915)
    The patch version of 6.2.9200.22570 (KB4462929 or KB4462931)
    The patch version of 6.3.9600.19153 (KB4462926 or KB4462941)
    The patch version of 10.0.10240.18005 (KB4462922)
    The patch version of 10.0.14393.2551 (KB4462917)
    The patch version of 10.0.15063.1387 (KB4462937)
    The patch version of 10.0.16299.726 (KB4462918)
    The patch version of 10.0.17134.345 (KB4462919)
    The patch version of 10.0.17763.55 (KB4464330)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    4462915
    4462917
    4462918
    4462919
    4462922
    4462923
    4462926
    4462929
    4462931
    4462937
    4462941
    4463097
    4463104
    4464330

These new vulnerability checks are included in Qualys vulnerability signature 2.4.438-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100345
    • 110324
    • 53017
    • 91475
    • 91476
    • 91474
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.