Hash: SHA256

                         AUSCERT Security Bulletin

      Security vulnerabilities patched in Microsoft development tools
                               11 July 2018


        AusCERT Security Bulletin Summary

Product:              .NET Core
                      .NET Framework
                      Expression Blend
                      Microsoft Research JavaScript Cryptography Library
                      Visual Studio
                      Microsoft Wireless Display Adapter
                      PowerShell Editor Services
                      Web Customizations for Active Directory Federation Services
Operating System:     Windows
                      Linux variants
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Existing Account            
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Reduced Security                -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-8356 CVE-2018-8327 CVE-2018-8326
                      CVE-2018-8319 CVE-2018-8306 CVE-2018-8298
                      CVE-2018-8294 CVE-2018-8291 CVE-2018-8290
                      CVE-2018-8288 CVE-2018-8287 CVE-2018-8286
                      CVE-2018-8284 CVE-2018-8283 CVE-2018-8280
                      CVE-2018-8279 CVE-2018-8276 CVE-2018-8275
                      CVE-2018-8260 CVE-2018-8232 CVE-2018-8202
                      CVE-2018-8172 CVE-2018-8171 
Member content until: Friday, August 10 2018


        Microsoft has released its monthly security patch update for the month of July
        2018. [1]  This update resolves 23 vulnerabilities across the following
         .NET Core 1.0
         .NET Core 1.1
         .NET Core 2.0
         .NET Framework 4.7.2 Developer Pack
         ASP.NET Core 1.0
         ASP.NET Core 1.1
         ASP.NET Core 2.0
         ASP.NET MVC 5.2
         ASP.NET Web Pages 3.2.3
         Expression Blend 4 Service Pack 3
         Microsoft .NET Framework 2.0 Service Pack 2
         Microsoft .NET Framework 3.0 Service Pack 2
         Microsoft .NET Framework 3.5
         Microsoft .NET Framework 3.5.1
         Microsoft .NET Framework 4.5.2
         Microsoft .NET Framework 4.6
         Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
         Microsoft .NET Framework 4.6/4.6.1/4.6.2
         Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2
         Microsoft .NET Framework 4.7.1/4.7.2
         Microsoft .NET Framework 4.7.2
         Microsoft .NET Framework 4.7/4.7.1/4.7.2
         Microsoft Research JavaScript Cryptography Library
         Microsoft Visual Studio 2010 Service Pack 1
         Microsoft Visual Studio 2012 Update 5
         Microsoft Visual Studio 2013 Update 5
         Microsoft Visual Studio 2015 Update 3
         Microsoft Visual Studio 2017
         Microsoft Visual Studio 2017 Version 15.7.5
         Microsoft Visual Studio 2017 Version 15.8 Preview
         Microsoft Wireless Display Adapter V2 Software Version 2.0.8350
         Microsoft Wireless Display Adapter V2 Software Version 2.0.8365
         Microsoft Wireless Display Adapter V2 Software Version 2.0.8372
         PowerShell Editor Services
         PowerShell Extension for Visual Studio Code
         Web Customizations for Active Directory Federation Services


        Microsoft has given the following details regarding these vulnerabilities.
         Details         Impact                   Severity
         CVE-2018-8171   Security Feature Bypass  Important
         CVE-2018-8172   Remote Code Execution    Important
         CVE-2018-8202   Elevation of Privilege   Important
         CVE-2018-8232   Tampering                Moderate
         CVE-2018-8260   Remote Code Execution    Important
         CVE-2018-8275   Remote Code Execution    Critical
         CVE-2018-8276   Security Feature Bypass  Important
         CVE-2018-8279   Remote Code Execution    Critical
         CVE-2018-8280   Remote Code Execution    Critical
         CVE-2018-8283   Remote Code Execution    Critical
         CVE-2018-8284   Remote Code Execution    Important
         CVE-2018-8286   Remote Code Execution    Critical
         CVE-2018-8287   Remote Code Execution    Important
         CVE-2018-8288   Remote Code Execution    Critical
         CVE-2018-8290   Remote Code Execution    Critical
         CVE-2018-8291   Remote Code Execution    Critical
         CVE-2018-8294   Remote Code Execution    Critical
         CVE-2018-8298   Remote Code Execution    Critical
         CVE-2018-8306   Remote Code Execution    Important
         CVE-2018-8319   Security Feature Bypass  Important
         CVE-2018-8326   Spoofing                 Important
         CVE-2018-8327   Remote Code Execution    Critical
         CVE-2018-8356   Security Feature Bypass  Important


        Microsoft recommends updating the software with the version made available on
        the Microsoft Update Catalogue for the following Knowledge Base articles. [1]
         KB4342193, KB4336986, KB4338825, KB4338613, KB4338602
         KB4338423, KB4338612, KB4338814, KB4338418, KB4338419
         KB4338605, KB4338422, KB4338421, KB4338424, KB4338829
         KB4338416, KB4338610, KB4338819, KB4336919, KB4338826
         KB4336999, KB4338601, KB4338415, KB4336946, KB4338604
         KB4338600, KB4338420, KB4338417, KB4339279, KB4338606


        [1] Security Update Guide

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967