Microsoft security alert.
December 11, 2018
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 37 vulnerabilities that were fixed in 7 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 7 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for December 2018
- Severity
- Urgent 5
- Qualys ID
- 100349
- Vendor Reference
- KB4470199, KB4471318, KB4471320, KB4471321, KB4471323, KB4471324, KB4471325, KB4471327, KB4471329, KB4471330, KB4471332
- CVE Reference
- CVE-2018-8619, CVE-2018-8625, CVE-2018-8631, CVE-2018-8643
- CVSS Scores
- Base 7.6 / Temporal 6
- Description
-
Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.
Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10) and Internet Explorer 11 (IE 11). The most severe of the vulnerabilities could allow remote code execution.
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded 8 Standard, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016,Windows Server 2019.
This QID checks for the file version of %windir%\System32\mshtml.dll
The following versions of mshtml.dll with their corresponding KBs are verified:
1.KB4471318 - 11.0.9600.19204
2.KB4470199 - 11.0.9600.19204,10.0.9200.22620,11.0.9600.19204,9.0.8112.21291,
3.KB4471320 - 11.0.9600.19204
4.KB4471321 - 11.0.14393.2665
5.KB4471323 - 11.0.10240.18063
6.KB4471327 - 11.0.15063.1506
7.KB4471329 - 11.0.16299.846
8.KB4471324 - 11.0.17134.471
9.KB4471332 - 11.0.17763.194
10.KB4471330 - 10.0.9200.22620
11.KB4471325 - 9.0.8112.21291
- Consequence
-
Successful exploitation of the vulnerability can lead to arbitrary code execution within the context of the current user.
- Solution
-
For more information, refer to the Security Update Guide.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update December 2018
- Severity
- Critical 4
- Qualys ID
- 110327
- Vendor Reference
- KB2597975, KB2965312, KB4011207, KB4011680, KB4092472, KB4461465, KB4461481, KB4461521, KB4461532, KB4461541, KB4461542, KB4461544, KB4461549, KB4461551, KB4461556, KB4461558, KB4461559, KB4461565, KB4461566, KB4461569, KB4461570, KB4461576, KB4461577, KB4461580
- CVE Reference
- CVE-2018-8580, CVE-2018-8587, CVE-2018-8597, CVE-2018-8598, CVE-2018-8627, CVE-2018-8628, CVE-2018-8635, CVE-2018-8636, CVE-2018-8650
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft released security updates in December 2018 to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB2597975
KB2965312
KB4011207
KB4011680
KB4092472
KB4461465
KB4461481
KB4461521
KB4461532
KB4461541
KB4461542
KB4461544
KB4461549
KB4461551
KB4461556
KB4461558
KB4461559
KB4461565
KB4461566
KB4461569
KB4461570
KB4461576
KB4461577
KB4461580
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system. - Consequence
- Successful exploitation allows an attacker to execute arbitrary code.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update December 2018
-
Microsoft Edge Security Update for December 2018
- Severity
- Urgent 5
- Qualys ID
- 91485
- Vendor Reference
- KB4471321, KB4471323, KB4471324, KB4471327, KB4471329, KB4471332
- CVE Reference
- CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629
- CVSS Scores
- Base 7.6 / Temporal 6
- Description
-
Microsoft Edge is a web browser developed by Microsoft that replaces Internet Explorer as the default web browser. Microsoft Edge is vulnerable to multiple issues.
The KB Articles associated with the update:
KB4471323
KB4471321
KB4471327
KB4471329
KB4471324
KB4471332The QID Detection Logic (Authenticated):
This QID reviews the file version of %windir%\System32\edgehtml.dll
The patch version is 11.0.10240.18063 (KB4471323)
The patch version is 11.0.14393.2636 (KB4471321)
The patch version is 11.0.15063.1478 (KB4471327)
The patch version is 11.0.16299.820 (KB4471329)
The patch version is 11.0.17134.471 (KB4471324)
The patch version is 11.0.17763.168 (KB4471332)
- Consequence
-
Depending on the vulnerability being exploited, a remote attacker could exploit these vulnerabilities to bypass security restrictions, gain access to sensitive data or execute arbitrary code on the targeted system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows(Edge)
-
Microsoft Visual Studio Security Update for December 2018
- Severity
- Critical 4
- Qualys ID
- 91486
- Vendor Reference
- CVE-2018-8599
- CVE Reference
- CVE-2018-8599
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly handles certain file operations. To exploit this vulnerability, an attacker would require unprivileged access to a vulnerable system.
Affected Software:
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 Version 15.9QID Detection Logic:
This QID detects vulnerable versions of Microsoft Visual Studio 2015 Update 3 by checking if the StandardCollector.Service.exe file version is lesser than 14.0.27529.0 - Consequence
- Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with elevated privileges on the targeted system.
- Solution
-
Customers are advised to refer to CVE-2018-8599 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2018-8599
-
Microsoft Windows Security Update December 2018
- Severity
- Critical 4
- Qualys ID
- 91488
- Vendor Reference
- KB4471318, KB4471319, KB4471320, KB4471321, KB4471322, KB4471323, KB4471324, KB4471325, KB4471326, KB4471327, KB4471328, KB4471329, KB4471330, KB4471332
- CVE Reference
- CVE-2018-8477, CVE-2018-8514, CVE-2018-8595, CVE-2018-8596, CVE-2018-8599, CVE-2018-8611, CVE-2018-8612, CVE-2018-8621, CVE-2018-8622, CVE-2018-8626, CVE-2018-8634, CVE-2018-8637, CVE-2018-8638, CVE-2018-8639, CVE-2018-8641, CVE-2018-8649
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. (CVE-2018-8477, CVE-2018-8611, CVE-2018-8621, CVE-2018-8622)
An information disclosure vulnerability exists when Remote Procedure Call runtime improperly initializes objects in memory. (CVE-2018-8514)
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. (CVE-2018-8595, CVE-2018-8596)
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. (CVE-2018-8641)
A denial of service vulnerability exists when Windows improperly handles objects in memory. (CVE-2018-8649)
An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations. (CVE-2018-8599)
A Denial Of Service vulnerability exists when Connected User Experiences and Telemetry Service fails to validate certain function values. (CVE-2018-8612)
A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. (CVE-2018-8626)
A remote code execution vulnerability exists in Windows where Microsoft text-to-speech fails to properly handle objects in the memory. (CVE-2018-8634)
An information disclosure vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. (CVE-2018-8637)
An information disclosure vulnerability exists when DirectX improperly handles objects in memory. (CVE-2018-8638)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. (CVE-2018-8639)QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8.1, Windows RT 8.1, Windows10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
This QID checks for following file versions %windir%\System32\ntoskrnl.exe:
The patch version of 6.0.6002.24535 (KB4471325 or KB4471319)
The patch version of 6.1.7601.24308 (KB4471318 or KB4471328)
The patch version of 6.2.9200.22618 (KB4471330 or KB4471326)
The patch version of 6.3.9600.19202 (KB4471320 or KB4471322)
The patch version of 10.0.10240.18063 (KB4471323)
The patch version of 10.0.14393.2665 (KB4471321)
The patch version of 10.0.15063.1506 (KB4471327)
The patch version of 10.0.16299.846 (KB4471329)
The patch version of 10.0.17134.471 (KB4471324)
The patch version of 10.0.17763.194 (KB4471332)
- Consequence
-
Successful exploitation allows an attacker to execute arbitrary code and take control of an affected system.
- Solution
-
Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4470600
Microsoft Security Guidance
-
Microsoft .NET Framework Security Update December 2018
- Severity
- Critical 4
- Qualys ID
- 91489
- Vendor Reference
- KB4470491, KB4470492, KB4470493, KB4470498, KB4470499, KB4470500, KB4470502, KB4470600, KB4470601, KB4470602, KB4470622, KB4470623, KB4470629, KB4470630, KB4470637, KB4470638, KB4470639, KB4470640, KB4470641, KB4471323, KB4471324, KB4471327, KB4471329
- CVE Reference
- CVE-2018-8517, CVE-2018-8540
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
- A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly.
- A denial of service vulnerability exists when .NET Framework improperly handles special web requests.
KB4470491,KB4470492,KB4470493,KB4470498,KB4470499,KB4470500,KB4470502,KB4470600,KB4470601,KB4470602,KB4470622,KB4470623,KB4470629,KB4470630,KB4470637,KB4470638,KB4470639,KB4470640,KB4470641,KB4471323,KB4471324,KB4471327,KB4471329 are covered in this QID. This security update is rated Critical for supported versions of Microsoft .NET Framework.
QID Detection Logic (Authenticated):
This QID checks for the vulnerable file version of system.web.extensions.dll - Consequence
- An attacker who successfully exploited this vulnerability can take control of an affected system.
- Solution
-
Customers are advised to refer to CVE-2018-8540, CVE-2018-8517 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4470491
KB4470492
KB4470493
KB4470498
KB4470499
KB4470500
KB4470502
KB4470600
KB4470601
KB4470602
KB4470622
KB4470623
KB4470629
KB4470630
KB4470637
KB4470638
KB4470639
KB4470640
KB4470641
KB4471321
KB4471323
KB4471324
KB4471327
KB4471329
-
Microsoft Windows Servicing Stack Security Update December 2018
- Severity
- Serious 3
- Qualys ID
- 91490
- Vendor Reference
- KB4470788, KB4477136, KB4477137, KB5011570, KB5014026
- CVE Reference
- CVE-2018-8566
- CVSS Scores
- Base 2.1 / Temporal 1.6
- Description
-
Microsoft has released Servicing Stack security updates fpr Windows 10 (Version 1809, 1803 and 1709), Windows Server 2019 (Version 1809) and Windows Server 2016 (Version 1803 and 1709).
The update fixes the following issues:
On Windows Server 2019 and Windows 10 version 1809 -
Automatic corruption repair (ACR) fails with error code 0x80070057.
A Server Core-based computer may be unable to start after you install Server Core App Compatibility Feature on Demand (FOD) installation.On Windows 10 (Version 1803 and 1709) and Windows Server 2016 (Version 1803 and 1709) -
Windows cumulative updates (CU) might not install when:
-You have not installed a cumulative update since August 2018.
-You install a new operating system, you install this SSU, and then you try to install any Windows CU that is dated September 2018 or later.QID Detection Logic (Authenticated):
Operating Systems: Windows 10, Windows Server 2016, Windows Server 2019
This QID checks for following file versions %windir%\WinSxS\*microsoft-windows-servicingstack*\CbsCore.dll:
The patch version of 10.0.16299.843 (KB4465661)
The patch version of 10.0.17134.464 (KB4465663)
The patch version of 10.0.17763.164 (KB4465664)
- Consequence
- Successful exploitation allows attacker to compromise the system.
- Solution
-
Customers are advised to refer to advisrory ADV990001for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB4470788
KB4477136
KB4477137
These new vulnerability checks are included in Qualys vulnerability signature 2.4.483-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100349
- 110327
- 91485
- 91486
- 91488
- 91489
- 91490
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.