Cloud Platform
Support

Microsoft security alert.

December 11, 2018

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Qualys Cloud Platform to protect organizations against 37 vulnerabilities that were fixed in 7 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit our blog to see how to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 7 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Internet Explorer Security Update for December 2018

    Severity
    Urgent 5
    Qualys ID
    100349
    Vendor Reference
    KB4470199, KB4471318, KB4471320, KB4471321, KB4471323, KB4471324, KB4471325, KB4471327, KB4471329, KB4471330, KB4471332
    CVE Reference
    CVE-2018-8619, CVE-2018-8625, CVE-2018-8631, CVE-2018-8643
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.

    Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded 8 Standard, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.

    This QID checks for the file version of %windir%\System32\mshtml.dll

    The following versions of mshtml.dll with their corresponding KBs are verified:
    1.KB4471318 - 11.0.9600.19204
    2.KB4470199 - 11.0.9600.19204,10.0.9200.22620,11.0.9600.19204,9.0.8112.21291,
    3.KB4471320 - 11.0.9600.19204
    4.KB4471321 - 11.0.14393.2665
    5.KB4471323 - 11.0.10240.18063
    6.KB4471327 - 11.0.15063.1506
    7.KB4471329 - 11.0.16299.846
    8.KB4471324 - 11.0.17134.471
    9.KB4471332 - 11.0.17763.194
    10.KB4471330 - 10.0.9200.22620
    11.KB4471325 - 9.0.8112.21291

    Consequence
    Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user.

    Solution
    For more information, refer to the Security Update Guide.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide

  • Microsoft Office and Microsoft Office Services and Web Apps Security Update December 2018

    Severity
    Critical 4
    Qualys ID
    110327
    Vendor Reference
    KB2597975, KB2965312, KB4011207, KB4011680, KB4092472, KB4461465, KB4461481, KB4461521, KB4461532, KB4461541, KB4461542, KB4461544, KB4461549, KB4461551, KB4461556, KB4461558, KB4461559, KB4461565, KB4461566, KB4461569, KB4461570, KB4461576, KB4461577, KB4461580
    CVE Reference
    CVE-2018-8580, CVE-2018-8587, CVE-2018-8597, CVE-2018-8598, CVE-2018-8627, CVE-2018-8628, CVE-2018-8635, CVE-2018-8636, CVE-2018-8650
    CVSS Scores
    Base 9.3 / Temporal 6.9
    Description
    Microsoft released security updates in December 2018 to fix multiple security vulnerabilities.

    This security update contains the following KBs:
    KB2597975
    KB2965312
    KB4011207
    KB4011680
    KB4092472
    KB4461465
    KB4461481
    KB4461521
    KB4461532
    KB4461541
    KB4461542
    KB4461544
    KB4461549
    KB4461551
    KB4461556
    KB4461558
    KB4461559
    KB4461565
    KB4461566
    KB4461569
    KB4461570
    KB4461576
    KB4461577
    KB4461580

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Office and Microsoft Office Services and Web Apps Security Update December 2018

  • Microsoft Edge Security Update for December 2018

    Severity
    Urgent 5
    Qualys ID
    91485
    Vendor Reference
    KB4471321, KB4471323, KB4471324, KB4471327, KB4471329, KB4471332
    CVE Reference
    CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629
    CVSS Scores
    Base 7.6 / Temporal 6
    Description
    Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.

    The KB Articles associated with the update:
    KB4471323
    KB4471321
    KB4471327
    KB4471329
    KB4471324
    KB4471332

    The QID Detection Logic (Authenticated):
    This QID reviews the file version of %windir%\System32\edgehtml.dll
    The patch version is 11.0.10240.18063 (KB4471323)
    The patch version is 11.0.14393.2636 (KB4471321)
    The patch version is 11.0.15063.1478 (KB4471327)
    The patch version is 11.0.16299.820 (KB4471329)
    The patch version is 11.0.17134.471 (KB4471324)
    The patch version is 11.0.17763.168 (KB4471332)

    Consequence
    Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.

    Solution
    Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Security Update Guide Windows(Edge)

  • Microsoft Visual Studio Security Update for December 2018

    Severity
    Critical 4
    Qualys ID
    91486
    Vendor Reference
    CVE-2018-8599
    CVE Reference
    CVE-2018-8599
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles certain file operations. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system.

    Affected Software:
    Microsoft Visual Studio 2015 Update 3
    Microsoft Visual Studio 2017
    Microsoft Visual Studio 2017 Version 15.9

    QID Detection Logic:
    This QID detects vulnerable versions of Microsoft Visual Studio 2015 Update 3 by checking if the StandardCollector.Service.exe file version is lesser than 14.0.27529.0

    Consequence
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with elevated privileges on the targeted system.
    Solution
    Customers are advised to refer to CVE-2018-8599 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2018-8599

  • Microsoft Windows Security Update December 2018

    Severity
    Critical 4
    Qualys ID
    91488
    Vendor Reference
    KB4471318, KB4471319, KB4471320, KB4471321, KB4471322, KB4471323, KB4471324, KB4471325, KB4471326, KB4471327, KB4471328, KB4471329, KB4471330, KB4471332
    CVE Reference
    CVE-2018-8477, CVE-2018-8514, CVE-2018-8595, CVE-2018-8596, CVE-2018-8599, CVE-2018-8611, CVE-2018-8612, CVE-2018-8621, CVE-2018-8622, CVE-2018-8626, CVE-2018-8634, CVE-2018-8637, CVE-2018-8638, CVE-2018-8639, CVE-2018-8641, CVE-2018-8649
    CVSS Scores
    Base 10 / Temporal 7.8
    Description
    An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2018-8477, CVE-2018-8611, CVE-2018-8621, CVE-2018-8622)
    An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)
    An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. (CVE-2018-8595, CVE-2018-8596)
    An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. (CVE-2018-8641)
    A denial of service vulnerability exists when Windows improperly handles objects in memory. (CVE-2018-8649)
    An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. (CVE-2018-8599)
    A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. (CVE-2018-8612)
    A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. (CVE-2018-8626)
    A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. (CVE-2018-8634)
    An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. (CVE-2018-8637)
    An information disclosure vulnerability exists when DirectX improperly handles objects in memory. (CVE-2018-8638)
    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. (CVE-2018-8639)

    QID Detection Logic (Authenticated):
    Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
    This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
    The patch version of 6.0.6002.24535 (KB4471325 or KB4471319)
    The patch version of 6.1.7601.24308 (KB4471318 or KB4471328)
    The patch version of 6.2.9200.22618 (KB4471330 or KB4471326)
    The patch version of 6.3.9600.19202 (KB4471320 or KB4471322)
    The patch version of 10.0.10240.18063 (KB4471323)
    The patch version of 10.0.14393.2665 (KB4471321)
    The patch version of 10.0.15063.1506 (KB4471327)
    The patch version of 10.0.16299.846 (KB4471329)
    The patch version of 10.0.17134.471 (KB4471324)
    The patch version of 10.0.17763.194 (KB4471332)

    Consequence
    Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.

    Solution
    Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4470600
    Microsoft Security Guidance

  • Microsoft .NET Framework Security Update December 2018

    Severity
    Critical 4
    Qualys ID
    91489
    Vendor Reference
    KB4470491, KB4470492, KB4470493, KB4470498, KB4470499, KB4470500, KB4470502, KB4470600, KB4470601, KB4470602, KB4470622, KB4470623, KB4470629, KB4470630, KB4470637, KB4470638, KB4470639, KB4470640, KB4470641, KB4471321, KB4471323, KB4471324, KB4471327, KB4471329
    CVE Reference
    CVE-2018-8517, CVE-2018-8540
    CVSS Scores
    Base 10 / Temporal 7.4
    Description
    - A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly.

    - A denial of service vulnerability exists when .NET Framework improperly handles special web requests.

    KB4470491,KB4470492,KB4470493,KB4470498,KB4470499,KB4470500,KB4470502,KB4470600,KB4470601,KB4470602,KB4470622,KB4470623,KB4470629,KB4470630,KB4470637,KB4470638,KB4470639,KB4470640,KB4470641,KB4471321,KB4471323,KB4471324,KB4471327,KB4471329 are covered in this QID. This security update is rated Critical for supported versions of Microsoft .NET Framework.

    QID Detection Logic (Authenticated):
    This QID checks for the vulnerable file version of system.web.extensions.dll

    Consequence
    An attacker who successfully exploited this vulnerability can take control of an affected system.
    Solution
    Customers are advised to refer to CVE-2018-8540, CVE-2018-8517 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4470491
    KB4470492
    KB4470493
    KB4470498
    KB4470499
    KB4470500
    KB4470502
    KB4470600
    KB4470601
    KB4470602
    KB4470622
    KB4470623
    KB4470629
    KB4470630
    KB4470637
    KB4470638
    KB4470639
    KB4470640
    KB4470641
    KB4471321
    KB4471323
    KB4471324
    KB4471327
    KB4471329

  • Microsoft Windows Servicing Stack Security Update December 2018

    Severity
    Serious 3
    Qualys ID
    91490
    Vendor Reference
    KB4470788, KB4477136, KB4477137
    CVE Reference
    CVE-2018-8566
    CVSS Scores
    Base 2.1 / Temporal 1.6
    Description
    Microsoft has released Servicing Stack security updates fpr Windows 10 (Version 1809, 1803 and 1709), Windows Server 2019 (Version 1809) and Windows Server 2016 (Version 1803 and 1709).

    The update fixes the following issues:

    On Windows Server 2019 and Windows 10 version 1809 -
    Automatic corruption repair (ACR) fails with error code 0x80070057.
    A Server Core-based computer may be unable to start after you install Server Core App Compatibility Feature on Demand (FOD) installation.

    On Windows 10 (Version 1803 and 1709) and Windows Server 2016 (Version 1803 and 1709) -
    Windows cumulative updates (CU) might not install when:
    -You have not installed a cumulative update since August 2018.
    -You install a new operating system, you install this SSU, and then you try to install any Windows CU that is dated September 2018 or later.

    QID Detection Logic (Authenticated):
    Operating Systems: Windows 10, Windows Server 2016, Windows Server 2019
    This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
    The patch version of 10.0.16299.843 (KB4465661)
    The patch version of 10.0.17134.464 (KB4465663)
    The patch version of 10.0.17763.164 (KB4465664)

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Customers are advised to refer to advisrory ADV990001for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB4470788
    KB4477136
    KB4477137

These new vulnerability checks are included in Qualys vulnerability signature 2.4.483-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100349
    • 110327
    • 91485
    • 91486
    • 91488
    • 91489
    • 91490
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Qualys Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.