Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0148
Security vulnerabilities patched in Microsoft development tools
11 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: .NET Core
.NET Framework
ASP.NET
ChakraCore
Expression Blend
Microsoft Research JavaScript Cryptography Library
Visual Studio
Microsoft Wireless Display Adapter
PowerShell Editor Services
Web Customizations for Active Directory Federation Services
Operating System: Windows
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-8356 CVE-2018-8327 CVE-2018-8326
CVE-2018-8319 CVE-2018-8306 CVE-2018-8298
CVE-2018-8294 CVE-2018-8291 CVE-2018-8290
CVE-2018-8288 CVE-2018-8287 CVE-2018-8286
CVE-2018-8284 CVE-2018-8283 CVE-2018-8280
CVE-2018-8279 CVE-2018-8276 CVE-2018-8275
CVE-2018-8260 CVE-2018-8232 CVE-2018-8202
CVE-2018-8172 CVE-2018-8171
Member content until: Friday, August 10 2018
OVERVIEW
Microsoft has released its monthly security patch update for the month of July
2018. [1] This update resolves 23 vulnerabilities across the following
products:
.NET Core 1.0
.NET Core 1.1
.NET Core 2.0
.NET Framework 4.7.2 Developer Pack
ASP.NET Core 1.0
ASP.NET Core 1.1
ASP.NET Core 2.0
ASP.NET MVC 5.2
ASP.NET Web Pages 3.2.3
ChakraCore
Expression Blend 4 Service Pack 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2
Microsoft .NET Framework 4.7.1/4.7.2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
Microsoft Research JavaScript Cryptography Library
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2012 Update 5
Microsoft Visual Studio 2013 Update 5
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 Version 15.7.5
Microsoft Visual Studio 2017 Version 15.8 Preview
Microsoft Wireless Display Adapter V2 Software Version 2.0.8350
Microsoft Wireless Display Adapter V2 Software Version 2.0.8365
Microsoft Wireless Display Adapter V2 Software Version 2.0.8372
PowerShell Editor Services
PowerShell Extension for Visual Studio Code
Web Customizations for Active Directory Federation Services
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2018-8171 Security Feature Bypass Important
CVE-2018-8172 Remote Code Execution Important
CVE-2018-8202 Elevation of Privilege Important
CVE-2018-8232 Tampering Moderate
CVE-2018-8260 Remote Code Execution Important
CVE-2018-8275 Remote Code Execution Critical
CVE-2018-8276 Security Feature Bypass Important
CVE-2018-8279 Remote Code Execution Critical
CVE-2018-8280 Remote Code Execution Critical
CVE-2018-8283 Remote Code Execution Critical
CVE-2018-8284 Remote Code Execution Important
CVE-2018-8286 Remote Code Execution Critical
CVE-2018-8287 Remote Code Execution Important
CVE-2018-8288 Remote Code Execution Critical
CVE-2018-8290 Remote Code Execution Critical
CVE-2018-8291 Remote Code Execution Critical
CVE-2018-8294 Remote Code Execution Critical
CVE-2018-8298 Remote Code Execution Critical
CVE-2018-8306 Remote Code Execution Important
CVE-2018-8319 Security Feature Bypass Important
CVE-2018-8326 Spoofing Important
CVE-2018-8327 Remote Code Execution Critical
CVE-2018-8356 Security Feature Bypass Important
MITIGATION
Microsoft recommends updating the software with the version made available on
the Microsoft Update Catalogue for the following Knowledge Base articles. [1]
KB4342193, KB4336986, KB4338825, KB4338613, KB4338602
KB4338423, KB4338612, KB4338814, KB4338418, KB4338419
KB4338605, KB4338422, KB4338421, KB4338424, KB4338829
KB4338416, KB4338610, KB4338819, KB4336919, KB4338826
KB4336999, KB4338601, KB4338415, KB4336946, KB4338604
KB4338600, KB4338420, KB4338417, KB4339279, KB4338606
KB4338611
REFERENCES
[1] Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW0VN/2aOgq3Tt24GAQjyNhAApeWS9n3JNFihlPQbxhG5DKG+0hceupjp
EB1heL4BTxpfU6g9GWTIVXPeLU/OqeYGd/RqhuTZW7uoOzBsIugM+CHx9wv2sIbm
ALnWDfvLz2brIyL8NOhtl0O9pJgO15QELcFnPB5odkbopJsNRPvyeWBhrb5IfA2b
uz6ywFOQNUr4lC/RK+SDlkzzwBbepMS431Mko1jaZU5wlkYsw5LZ6Udq/pNTRJxQ
iXGF3XSjQJStSUAMUeYtQBaVkNsxVQfV8Z2lMM+pVebSyzSqvHW7ykJJxTmCcfjZ
h9lurkmWlpb79lJXzYC07kX3OOQM5Xo3uH8CnFGNHRNIF7kkbRX5Nd+8r22iWpnO
HmkcDNRoFlggIETkfeMP3XOM/R0jmu5dUcurHjID2+SKSbRi+/a5Z69WjtKx/eQI
00b/Po/WARnM5bukk1NyoAeyzVnxYBXbHg30ue/yzHqlWVJkUaDllpOgt5QCVzqx
NtaLKYHfuEboyV71rtr7Lm1ctrCaGD7IBEzlqQ37CqYWsE4pbHW40636g0DhNodl
BQatccG4eP0fJPLz8Tte6up4OC4lUH6lQObxh21ZuEQ2z3XuP0SnJa7tb0b7iQvL
KaBJiW0nxPk4TV2as9dNzQtyS/XSIn6VMRWW708slhIRqPXqqwZAIFOVhAzn888a
yO0HYUN4Ndw=
=c1BE
-----END PGP SIGNATURE-----