Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0106.2 Security updates for Microsoft Office and SharePoint 16 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Excel Microsoft Excel Viewer Microsoft Infopath Microsoft Office Microsoft Project Server Microsoft SharePoint Enterprise Server Microsoft Word Operating System: Windows Mac OS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-8176 CVE-2018-8173 CVE-2018-8168 CVE-2018-8163 CVE-2018-8162 CVE-2018-8161 CVE-2018-8160 CVE-2018-8158 CVE-2018-8157 CVE-2018-8156 CVE-2018-8155 CVE-2018-8150 CVE-2018-8149 CVE-2018-8148 CVE-2018-8147 Member content until: Friday, June 8 2018 Revision History: May 16 2018: Vendor added CVE-2018-8176 in Powerpoint 2016 for Mac May 9 2018: Initial Release OVERVIEW Microsoft has released its monthly security patch update for the month of May 2018. [1] This update resolves 14 vulnerabilities across the following products: Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Infopath 2013 Service Pack 1 (32-bit edition) Microsoft Infopath 2013 Service Pack 1 (64-bit edition) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions Microsoft Office 2016 for Mac Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps Server 2010 Service Pack 2 Microsoft Office Web Apps Server 2013 Service Pack 1 Microsoft Project Server 2010 Service Pack 2 Microsoft Project Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 RT Service Pack 1 Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word 2016 (32-bit edition) Microsoft Word 2016 (64-bit edition) Word Automation Services IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2018-8147 Remote Code Execution Important CVE-2018-8148 Remote Code Execution Important CVE-2018-8149 Elevation of Privilege Important CVE-2018-8150 Security Feature Bypass Important CVE-2018-8155 Elevation of Privilege Important CVE-2018-8156 Elevation of Privilege Important CVE-2018-8157 Remote Code Execution Important CVE-2018-8158 Remote Code Execution Important CVE-2018-8160 Information Disclosure Important CVE-2018-8161 Remote Code Execution Important CVE-2018-8162 Remote Code Execution Important CVE-2018-8163 Information Disclosure Important CVE-2018-8168 Elevation of Privilege Important CVE-2018-8173 Elevation of Privilege Important CVE-2018-8176 Remote Code Execution Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1] KB2899590, KB3114889, KB3172436, KB3162075, KB4018388 KB4018381, KB4018383, KB4018382, KB4022142, KB4022141 KB4022146, KB4022145, KB4018308, KB4018396, KB4018393 KB4018390, KB4018398, KB4018399, KB4022150, KB4022137 KB4018327, KB4022135, KB4022130, KB4022139 REFERENCES [1] Security Update Guide https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWvu1B4x+lLeg9Ub1AQhgKg//acmKtvY2Y5RDtDQ+cObQ7O/X7IvFZgvY TuRnZbuPlvw880/OiCLDeL0HyYmNy+ENbsV55EaF5JNbinN4gHYEfLqXCnjn2N/d 9gpF/CCA2C3W7WiofIXma71DEhXESOINjIbLAraW+vpsNrIKzKj4DhcknCoPHYLm I/Qv7JEBsGKE4AURb1Bs+PMsF6i651DYm2wjHtYwMkqYAfbGRQbKrSNndP5NLzpn 3EKL0XRVZh8M5s4g1e2EyE7i+uDrLJaA4jPHf9iOZ/B1klg0KvDVfYRJXWFJHqcS 7jjICPlrYmbnDSdsKl7aYqcI6p/WAeSqxDiMwQlx6xQCbw+IBC4/uXN/OkE6XG2S 3MnTomputAE9lv0k75WTbTCrxLlDIYPZ2WA3ag/mJd+XUO3CAqhKpau7Abv+FPAu A9fQXyWmRMJ5bfVVVviFqL6BVvZsHSAwihE0Ih5XpjxjKDx3F3Ih5eQPWkBesFFo PJ1Si8HmqwMdEsbBOEkyxf3M3kVy97s6i5V2CKq9lh4CODi8I+E5jX2+9Rsbxeev yaIxtUp5Ye9c1+Xr7CtBs/il6rhya0Hg0cs/VTaRAoiyTDvPQAYm9HQF6YLizeOs ss7RvRFmfnw0GmkZuqOUORK11NlZyoUTcsB43tT/HB5M/gg/jI1D9kApVM7azfTE jXgWbacReNQ= =tTKS -----END PGP SIGNATURE-----