Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0148 Security vulnerabilities patched in Microsoft development tools 11 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: .NET Core .NET Framework ASP.NET ChakraCore Expression Blend Microsoft Research JavaScript Cryptography Library Visual Studio Microsoft Wireless Display Adapter PowerShell Editor Services Web Customizations for Active Directory Federation Services Operating System: Windows Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-8356 CVE-2018-8327 CVE-2018-8326 CVE-2018-8319 CVE-2018-8306 CVE-2018-8298 CVE-2018-8294 CVE-2018-8291 CVE-2018-8290 CVE-2018-8288 CVE-2018-8287 CVE-2018-8286 CVE-2018-8284 CVE-2018-8283 CVE-2018-8280 CVE-2018-8279 CVE-2018-8276 CVE-2018-8275 CVE-2018-8260 CVE-2018-8232 CVE-2018-8202 CVE-2018-8172 CVE-2018-8171 Member content until: Friday, August 10 2018 OVERVIEW Microsoft has released its monthly security patch update for the month of July 2018. [1] This update resolves 23 vulnerabilities across the following products: .NET Core 1.0 .NET Core 1.1 .NET Core 2.0 .NET Framework 4.7.2 Developer Pack ASP.NET Core 1.0 ASP.NET Core 1.1 ASP.NET Core 2.0 ASP.NET MVC 5.2 ASP.NET Web Pages 3.2.3 ChakraCore Expression Blend 4 Service Pack 3 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2 Microsoft .NET Framework 4.7.1/4.7.2 Microsoft .NET Framework 4.7.2 Microsoft .NET Framework 4.7/4.7.1/4.7.2 Microsoft Research JavaScript Cryptography Library Microsoft Visual Studio 2010 Service Pack 1 Microsoft Visual Studio 2012 Update 5 Microsoft Visual Studio 2013 Update 5 Microsoft Visual Studio 2015 Update 3 Microsoft Visual Studio 2017 Microsoft Visual Studio 2017 Version 15.7.5 Microsoft Visual Studio 2017 Version 15.8 Preview Microsoft Wireless Display Adapter V2 Software Version 2.0.8350 Microsoft Wireless Display Adapter V2 Software Version 2.0.8365 Microsoft Wireless Display Adapter V2 Software Version 2.0.8372 PowerShell Editor Services PowerShell Extension for Visual Studio Code Web Customizations for Active Directory Federation Services IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2018-8171 Security Feature Bypass Important CVE-2018-8172 Remote Code Execution Important CVE-2018-8202 Elevation of Privilege Important CVE-2018-8232 Tampering Moderate CVE-2018-8260 Remote Code Execution Important CVE-2018-8275 Remote Code Execution Critical CVE-2018-8276 Security Feature Bypass Important CVE-2018-8279 Remote Code Execution Critical CVE-2018-8280 Remote Code Execution Critical CVE-2018-8283 Remote Code Execution Critical CVE-2018-8284 Remote Code Execution Important CVE-2018-8286 Remote Code Execution Critical CVE-2018-8287 Remote Code Execution Important CVE-2018-8288 Remote Code Execution Critical CVE-2018-8290 Remote Code Execution Critical CVE-2018-8291 Remote Code Execution Critical CVE-2018-8294 Remote Code Execution Critical CVE-2018-8298 Remote Code Execution Critical CVE-2018-8306 Remote Code Execution Important CVE-2018-8319 Security Feature Bypass Important CVE-2018-8326 Spoofing Important CVE-2018-8327 Remote Code Execution Critical CVE-2018-8356 Security Feature Bypass Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1] KB4342193, KB4336986, KB4338825, KB4338613, KB4338602 KB4338423, KB4338612, KB4338814, KB4338418, KB4338419 KB4338605, KB4338422, KB4338421, KB4338424, KB4338829 KB4338416, KB4338610, KB4338819, KB4336919, KB4338826 KB4336999, KB4338601, KB4338415, KB4336946, KB4338604 KB4338600, KB4338420, KB4338417, KB4339279, KB4338606 KB4338611 REFERENCES [1] Security Update Guide https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW0VN/2aOgq3Tt24GAQjyNhAApeWS9n3JNFihlPQbxhG5DKG+0hceupjp EB1heL4BTxpfU6g9GWTIVXPeLU/OqeYGd/RqhuTZW7uoOzBsIugM+CHx9wv2sIbm ALnWDfvLz2brIyL8NOhtl0O9pJgO15QELcFnPB5odkbopJsNRPvyeWBhrb5IfA2b uz6ywFOQNUr4lC/RK+SDlkzzwBbepMS431Mko1jaZU5wlkYsw5LZ6Udq/pNTRJxQ iXGF3XSjQJStSUAMUeYtQBaVkNsxVQfV8Z2lMM+pVebSyzSqvHW7ykJJxTmCcfjZ h9lurkmWlpb79lJXzYC07kX3OOQM5Xo3uH8CnFGNHRNIF7kkbRX5Nd+8r22iWpnO HmkcDNRoFlggIETkfeMP3XOM/R0jmu5dUcurHjID2+SKSbRi+/a5Z69WjtKx/eQI 00b/Po/WARnM5bukk1NyoAeyzVnxYBXbHg30ue/yzHqlWVJkUaDllpOgt5QCVzqx NtaLKYHfuEboyV71rtr7Lm1ctrCaGD7IBEzlqQ37CqYWsE4pbHW40636g0DhNodl BQatccG4eP0fJPLz8Tte6up4OC4lUH6lQObxh21ZuEQ2z3XuP0SnJa7tb0b7iQvL KaBJiW0nxPk4TV2as9dNzQtyS/XSIn6VMRWW708slhIRqPXqqwZAIFOVhAzn888a yO0HYUN4Ndw= =c1BE -----END PGP SIGNATURE-----